Conversation:
Notices
-
MMN-o ✅⃠ (mmn)'s status on Thursday, 01-Sep-2016 17:45:18 EDT 
MMN-o ✅⃠
@hannes2peer Reasonably source shouldn't be html at all! So just escaping it on output is good enough I think. -
MMN-o ✅⃠ (mmn)'s status on Thursday, 01-Sep-2016 18:21:36 EDT
MMN-o ✅⃠
@hannes2peer @maiyannah I've been looking at it now and I'm curious where someone can put their own URL in there in a way that will be output to !qvitter since it's only HTML if Notice->getSource returns a Notice_source object, which should be under server control and not affected by user input. -
MMN-o ✅⃠ (mmn)'s status on Thursday, 01-Sep-2016 18:43:55 EDT
MMN-o ✅⃠
@hannes2peer @maiyannah Ah no alright, I didn't read the whole getSource function: http://status.hackerposse.com/url/11840 That thing means API clients can choose their own source names (which is a good thing) and match against OAuth applications (matching up so the name gets linked). It's when the HTML in !GNUsocial gets built that nasty stuff get in. I have now redac… -
MMN-o ✅⃠ (mmn)'s status on Thursday, 01-Sep-2016 19:10:28 EDT
MMN-o ✅⃠
@hannes2peer @maiyannah @moonman what I did (mostly the second link):
https://git.gnu.io/gnu/gnu-social/commit/15ab9ff9e3303255ff14166ee86ffdf3bc4f52ce
https://git.gnu.io/gnu/gnu-social/commit/a7043bf7cc6956abd344149332290564eda5d1f4 -
MMN-o ✅⃠ (mmn)'s status on Friday, 02-Sep-2016 04:47:44 EDT
MMN-o ✅⃠
@oemplojerad ha
oppas jag hittade alla ställen bara.
-
All Hacker Poesy content and data are available under the