Differential D1322

fix XSS vulnerability in readme rendering for txt, md
ClosedPublic
Actions

Authored by kalpitk on Mar 30 2019, 1:01 PM.

Details

Reviewers

None

Group Reviewers

Reviewers

Commits

rDWAPPS4d9d866f0b3f: fix XSS vulnerability in readme rendering for txt, md

Summary

While rendering readme, scripts were also being executed.
Example - https://archive.softwareheritage.org/browse/origin/https://github.com/kalpitk/test/directory/
and https://archive.softwareheritage.org/browse/revision/8428612a5f8d115deff9463fdff6da62d2fc6091/?origin=https://github.com/kalpitk/test

Diff Detail

Repository

rDWAPPS Web applications

Branch

xss-vul

Lint

No Linters Available

Unit

No Unit Test Coverage

Build Status

Buildable 4962
Build 6639: tox-on-jenkins	Jenkins
Build 6638: arc lint + arc unit

Event Timeline

kalpitk created this revision.Mar 30 2019, 1:01 PM

Herald added a reviewer: Reviewers. · View Herald TranscriptMar 30 2019, 1:01 PM

kalpitk edited the summary of this revision. (Show Details)Mar 30 2019, 1:04 PM

Build is green
See https://jenkins.softwareheritage.org/job/DWAPPS/job/tox/368/ for more details.

Harbormaster completed remote builds in B4962: Diff 4199.Mar 30 2019, 1:05 PM

This revision was not accepted when it landed; it landed in state Needs Review.Mar 30 2019, 3:44 PM

Closed by commit rDWAPPS4d9d866f0b3f: fix XSS vulnerability in readme rendering for txt, md (authored by kalpitk, committed by anlambert). · Explain Why

This revision was automatically updated to reflect the committed changes.

Nice catch! Thanks! landed.

kalpitk mentioned this in T1642: Images with src within repo dont render in Readme.Apr 10 2019, 7:26 PM

anlambert mentioned this in D1412: assets/readme-rendering: Use dompurify as XSS filter.Apr 12 2019, 2:52 PM

vlorentz mentioned this in T4231: Split archive browsing and administration/moderation.May 11 2022, 11:19 AM

Revision Contents
Changeset List

Path

Size

package.json

3 lines

swh/

web/

assets/

src/

bundles/

webapp/

readme-rendering.js

7 lines

yarn.lock

22 lines

Diff 4199

View Options

package.json

View Options

swh/web/assets/src/bundles/webapp/readme-rendering.js

View Options

fix XSS vulnerability in readme rendering for txt, mdClosedPublicActions

Details

Diff Detail

Event Timeline

Revision ContentsChangeset List

Diff 4199

package.json

swh/web/assets/src/bundles/webapp/readme-rendering.js

yarn.lock

fix XSS vulnerability in readme rendering for txt, md
ClosedPublic
Actions

Revision Contents
Changeset List