-
Notifications
You must be signed in to change notification settings - Fork 6
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[sec-critical] Escape HTML special characters #16
Comments
Yikes, thanks @fbender. Will fix today. |
Actually, I don't know how to escape HTML rendered via XSLT. @karlcow, this is more your area of expertise.... any suggestions? Seems like we want to escape all the instances of |
@fbender was it visible in your feed reader or in the planet.webcompat.com home page? Given the screenshot probably in the HTML. So the intent emails are coming from Yahoo! Pipes which will disappear soon.
The thing which is a bit strange is I thought the sanitization was handled on the python code side of venus and not the xslt templates. Hmmm needs to investigate. Original message is at @miketaylr could you check what Yahoo! Pipes is sending us? |
ok making progress. This is what the pipes xml feed looks like in my reader. So the input is escaped. And somehow we have converted it again to html when copying the description. This is strange. <item>
<title>Intent to implement: directory picking and directory drag and drop</title>
<link>https://groups.google.com/d/msg/mozilla.dev.platform/Q3BLd4Cwj6Q/JwmBVf7zIgAJ</link>
<description>MS has a proposal for a minimal set of functionality to support
directory picking via <input> and to support directory drag and drop.
https://microsoftedge.github.io/directory-upload/proposal.html
This spec is a work in progress but we now have an implementation for platforms that have a</description>
<author>Jonathan Watt</author>
<guid isPermaLink="false">https://groups.google.com/d/topic/mozilla.dev.platform/Q3BLd4Cwj6Q</guid>
<pubDate>Wed, 29 Jul 2015 15:37:14 +0000</pubDate>
</item> The original template for index.html.xslt Ours Pretty similar. Happening before? |
(btw I thought this repo was transferred to github/webcompat/ ^_^ ) |
Yeah, the main repo is over there -- but I had forgotten to enable issues. So we can discuss here and make fixes there. |
@fbender, just to verify -- are you consuming planet.webcompat.com through a web browser? Or its feed in a feed-reader? |
Browser (Firefox)!
|
The issue exists in atom.xml.xslt and index.xml.xslt I spent a big chunk of time today on this without getting any fruitful results. 🐲 My impression is that it is not at the XSLT level (the default xslt there in the venus project output the exact same thing) but really at the level of python in the original venus code. The frustrating bits come from this. Let's imagine <description>MS has a proposal for a minimal set
of functionality to support directory picking
via <input> and < to support directory drag and drop.
https://microsoftedge.github.io/directory-upload/proposal.html
This spec is a work in progress but we now have an
implementation for platforms that have a</description> This is converted as <summary type="xhtml"><div xmlns="http://www.w3.org/1999/xhtml">MS has a proposal for a minimal set
of functionality to support directory picking
via <input/> and < to support directory drag and drop.
https://microsoftedge.github.io/directory-upload/proposal.html
This spec is a work in progress but we now have an
implementation for platforms that have a</div>
</summary> and if had used: via <input> and < and <boo> to support directory drag and drop. It is converted as: via <input/> and < and to support directory drag and drop. So the issue is somewhere in the sanitization process in python (venus or feedparser). Btw using the atom.xml.xslt from the common folder in the original venus project leads to the same result. |
Can you do a post-processing which encodes the HTML special characters then reverses the process for double-encoding like It seems that venus is no longer maintained. I posted a related issue some time ago, still no response … rubys/venus#24 |
Yes it's possible to certainly fix it in the venus python code. I could dive into that. We will have to be careful in case of merge, but many the risk is minimal given that venus seems not maintained. |
Currently, HTML code in blog posts is not escaped but rendered. This could lead to XSS etc., but also makes the planet harder to read. Please escape the following characters:
<
,>
,&
,"
,'
Issue is currently visible at Jonathan's Intent to Implement on July 29th:
The text was updated successfully, but these errors were encountered: