Page MenuHomeSoftware Heritage

assets/xss-filtering: Strip any query parameters from img src attribute
ClosedPublic

Authored by anlambert on Nov 5 2021, 12:11 PM.

Details

Summary

When attempting to replace a relative image url with the one for getting
the image bytes from the archive content, ensure that query parameters
will be stripped from the image src attribute otherwise the image path
will not be found in the archive.

This will fix most of the errors reported in that sentry issue.

Diff Detail

Repository
rDWAPPS Web applications
Lint
Automatic diff as part of commit; lint not applicable.
Unit
Automatic diff as part of commit; unit tests not applicable.

Event Timeline

Build is green

Patch application report for D6614 (id=24017)

Rebasing onto 1e106c798e...

Current branch diff-target is up to date.
Changes applied before test
commit 70fe85e2c931d28e299e3dd552442640c3c381cd
Author: Antoine Lambert <anlambert@softwareheritage.org>
Date:   Fri Nov 5 12:07:35 2021 +0100

    assets/xss-filtering: Strip any query parameters from img src attribute
    
    When attempting to replace a relative image url with the one for getting
    the image bytes from the archive content, ensure that query parameters
    will be stripped from the image src attribute otherwise the image path
    will not be found in the archive.

See https://jenkins.softwareheritage.org/job/DWAPPS/job/tests-on-diff/1222/ for more details.

What if there is a & character in the path?

What if there is a & character in the path?

Not an issue, URL object will correctly parse it as part of the path.

>>> s = "http://example.org/path&/foo?service=swh&query=bar"
"http://example.org/path&/foo?service=swh&query=bar"
>>> new URL(s)
URL { href: "http://example.org/path&/foo?service=swh&query=bar", origin: "http://example.org", protocol: "http:", username: "", password: "", host: "example.org", hostname: "example.org", port: "", pathname: "/path&/foo", search: "?service=swh&query=bar" }

Then when doing this:

directoryUrl += `?path=${path}`;

directoryUrl will end with ?path=/path&/foo and that's not good

Then when doing this:

directoryUrl += `?path=${path}`;

directoryUrl will end with ?path=/path&/foo and that's not good

Ah right, this needs to be percent encoded.

Update: Ensure to pass a valid url to URL constructor and encode path query parameter value

Build is green

Patch application report for D6614 (id=24025)

Rebasing onto 1e106c798e...

Current branch diff-target is up to date.
Changes applied before test
commit 0b1eca3e58b104d5a4270477e7b584882a1ea714
Author: Antoine Lambert <anlambert@softwareheritage.org>
Date:   Fri Nov 5 12:07:35 2021 +0100

    assets/xss-filtering: Strip any query parameters from img src attribute
    
    When attempting to replace a relative image url with the one for getting
    the image bytes from the archive content, ensure that query parameters
    will be stripped from the image src attribute otherwise the image path
    will not be found in the archive.

See https://jenkins.softwareheritage.org/job/DWAPPS/job/tests-on-diff/1224/ for more details.

Build is green

Patch application report for D6614 (id=24026)

Rebasing onto 1e106c798e...

Current branch diff-target is up to date.
Changes applied before test
commit e0f33695c7b31d61be4bcabce14a4defd9da9f4b
Author: Antoine Lambert <anlambert@softwareheritage.org>
Date:   Fri Nov 5 12:07:35 2021 +0100

    assets/xss-filtering: Strip any query parameters from img src attribute
    
    When attempting to replace a relative image url with the one for getting
    the image bytes from the archive content, ensure that query parameters
    will be stripped from the image src attribute otherwise the image path
    will not be found in the archive.

See https://jenkins.softwareheritage.org/job/DWAPPS/job/tests-on-diff/1225/ for more details.

This revision is now accepted and ready to land.Nov 8 2021, 10:45 AM