Page MenuHomeSoftware Heritage
Create Task
Maniphest T640

API: add HTML escapes in displayed data
Closed, MigratedEdits Locked
Actions

Description

When accessing, for instance, a revision in the web API, the JSON data is not escaped.

Example : author -> fullname in https://archive.softwareheritage.org/api/1/revision/18d8be353ed3480476f032475e7c233eff7371d5/

This makes us vulnerable to code injections and should be fixed throughout the API views.

Revisions and Commits

rDWAPPS Web applications
rDWAPPSd5ce45a54e0a renderers: escape contents of API return values

Related Objects

Event Timeline

olasd created this task.Jan 19 2017, 4:08 PM
olasd added a project: Restricted Project.
olasd moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.
zack added a subscriber: zack.Jan 19 2017, 4:14 PM

For the record, the problem with the specific example is that the actual JSON (which is partly hidden if you look at it via browser), reads:

"author": {
    "email": "robot@softwareheritage.org",
    "fullname": "Software Heritage <robot@softwareheritage.org>",
    "id": 3661419,
    "name": "Software Heritage"
},
ardumont mentioned this in rDWAPPSc1db20101c18: apidoc: Add partial html escape in displayed data.Jan 20 2017, 12:27 PM
zack raised the priority of this task from Normal to High.Jan 24 2017, 10:22 AM
olasd closed this task as Resolved by committing rDWAPPSd5ce45a54e0a: renderers: escape contents of API return values.Jan 26 2017, 4:44 PM
olasd added a commit: rDWAPPSd5ce45a54e0a: renderers: escape contents of API return values.
olasd mentioned this in rDWAPPS1690386fa577: renderers: remove escape_author_fields.Jan 26 2017, 5:14 PM
ardumont mentioned this in R65:c1db20101c18: apidoc: Add partial html escape in displayed data.Feb 23 2019, 1:55 AM
olasd mentioned this in R65:1690386fa577: renderers: remove escape_author_fields.Feb 23 2019, 1:56 AM
gitlab-migration changed the task status from Resolved to Migrated.Jan 8 2023, 4:20 PM
gitlab-migration claimed this task.
gitlab-migration added a subscriber: gitlab-migration.

This task has been migrated to GitLab.

About · Developer information · Legal