Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Sanitize name of sharee #9040

Merged
merged 2 commits into from
Jun 16, 2014
Merged

Sanitize name of sharee #9040

merged 2 commits into from
Jun 16, 2014

Conversation

LukasReschke
Copy link
Member

Fixes a XSS introduced with 271684d

@DeepDiver1975 @PVince81 @karlitschek

@LukasReschke
Sanitize name of sharee
1066f4e 
Fixes a XSS introduced with 271684d
@LukasReschke
Copy link
Member Author

Gnah - that needs also to get fixed in other places 😠

@LukasReschke
Copy link
Member Author

Ready for review.

I'm annoyed by all those XSS that we had due to the default behaviour being allowing HTML in interpolations. Let's change this for oC8.

@karlitschek
Copy link
Contributor

👍

@scrutinizer-notifier
Copy link

The inspection completed: 2 new issues

@ghost
Copy link

ghost commented Jun 14, 2014

🚀 Test Passed. 🚀
Refer to this link for build results: https://ci.owncloud.org/job/pull-request-analyser/5608/

@ghost
Copy link

ghost commented Jun 14, 2014

🚀 Test Passed. 🚀
Refer to this link for build results: https://ci.owncloud.org/job/pull-request-analyser/5609/

@LukasReschke LukasReschke added this to the ownCloud 7 milestone Jun 15, 2014
@PVince81
Copy link
Contributor

Shouldn't the escaping be the responsibility of the t() function ?
This is what I would have expected, as I believe the server side translation call also does that.
I might not be the only dev believing that it does, so fixing it in t() should avoid future errors.

I don't think it's good to allow injecting of HTML code with variables like that anyway.

@PVince81
Copy link
Contributor

I quickly grepped the core code and didn't find any occurrence where tags are used as a value.
But other apps might do that.

@LukasReschke
Copy link
Member Author

I don't think it's good to allow injecting of HTML code with variables like that anyway.

ACK. As stated above by me. But I'm not sure whether we should do such a breaking change in the feature freeze.

@PVince81
Copy link
Contributor

Ok, makes sense 👍

Can you make a separate ticket so we don't forget to fix it ?

MorrisJobke added a commit that referenced this pull request Jun 16, 2014
@MorrisJobke
Merge pull request #9040 from owncloud/fix-xss
4fbab3c 
Sanitize name of sharee
@MorrisJobke MorrisJobke merged commit 4fbab3c into master Jun 16, 2014
@MorrisJobke MorrisJobke deleted the fix-xss branch June 16, 2014 11:13
@MorrisJobke
Copy link
Contributor

#9046

@MorrisJobke MorrisJobke mentioned this pull request Jun 16, 2014
Closed
PVince81 referenced this pull request Jun 17, 2014
@icewind1991
organize js a bit better
2219087
@lock lock bot locked as resolved and limited conversation to collaborators Aug 16, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
security sev1-critical Type:Bug
Projects
None yet
Milestone
7.0
Development

Successfully merging this pull request may close these issues.
6 participants
@LukasReschke @karlitschek @scrutinizer-notifier @PVince81 @MorrisJobke @butonic