-
-
Notifications
You must be signed in to change notification settings - Fork 5.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SECURITY: Fix #5565 by htmlEncoding titles in issues and milestones #5570
SECURITY: Fix #5565 by htmlEncoding titles in issues and milestones #5570
Conversation
There are likely problems remaining with the way that initCommentForm is creating its elements. I suspect that a malformed avatar url could be used maliciously.
Still to look at:
|
Codecov Report
@@ Coverage Diff @@
## master #5570 +/- ##
==========================================
- Coverage 37.56% 37.55% -0.02%
==========================================
Files 321 321
Lines 47206 47206
==========================================
- Hits 17732 17726 -6
Misses 26933 26933
- Partials 2541 2547 +6
Continue to review full report at Codecov.
|
OK regarding point 2. It appears that this is a deliberate decision on behalf of the team. So I won't change this. Calling @lunny @lafriks - Re: Repository and Markup descriptions being a basic form of html. Is this intentional? It's not obvious from the input fields that this is intentional and that the markup is a shortened form of HTML. We should probably partially sanitise on save to these fields - otherwise when people query the API they'll get the unsanitised descriptions and will have to sanitise likely getting it wrong. |
@zeripath why not change server-side to add escape on these two form value? |
@lunny I'm not sure I understand. At the moment the Repository and Milestone descriptions are both relatively rich-text markup using a (unspecified) subset of html which is only sanitised on display. There are a few questions:
If they weren't intended to be rich-text, excellent! We can simply properly escape. They're both secure as it stands right now though - just potentially unsafe for downstream API users and slightly surprising as a user. |
So the rest of index.js appears to be ok. |
I agree that we need to look into things more, however I think this is a good interim measure to protect users while we discuss long-term solution. @lunny I'll let you decide if this is an ok approach. |
@zeripath I agree with that it's not clear on Repository and Milestone descriptions supporting rich text. @techknowlogick let's go ahead this PR and make a new issue to discuss that more. Thanks for your work! |
Created backport at #5575 |
There are likely problems remaining with the way that initCommentForm
is creating its elements. I suspect that a malformed avatar url could
be used maliciously.
Fixes the immediate issue in #5565