Conversation:
Notices
-
!gnusocial — I posted some Javascript via the AtomPub API and the server didn't seem to mind. The good news is that when I saw the notice on LoadAverage and the Quitters, the script tags had been stripped — I don't know if that happened when the notice was federated, or whether the UIs on those sites did it — but here on !SDF (we're running the classic UI), the code ran. That's probably not good.
-
@laemeur 'ang on, that should be put through htmlspecialchars. I'll fix this as soon as I get home if it's my fault. I've usually been good at escaping (especially telling others to do so!). So embarrasing .)
-
@laemeur but I think I know why (before looking at code). The atompub api probably relied on a purifier in Notice::saveNew but since I've switched to Notice::saveActivity it (recently) started trusting the input to that function (so plugins/api are responsible to purify). And I just never added that check to AtomPub.
-
@laemeur good thibg that noone uses tge atompub api! Haw haw
-
@laemeur https://git.gnu.io/gnu/gnu-social/commit/5167b1fa408aa486ad75c8ddd3c71cb568dc84a3
Please make sure I didn't break anything else ;)
common_purify removes bad stuff. Including <img> <video> and <audio>! And any style attributes to HTML elements. And a bunch of other evil stuff.
-
@mmn That previous post could make people think I was drunk, but it was just an OSD keyboard.
-
@laemeur There was an XSS vulnerability in older !gnusocial version that was fixed.
-
@navigium The #AtomPub input was actually filtered before, but a recent commit removed that accidentally (because I assumed it was "purified" before entering that function). That change has now been reverted. Also, it only affected the AtomPub API (afaik, but I'm reasonably sure :P) during that short period.
But yeah, all !gnusocial users are recommended to update (both master and nightly branches).
-
@n2admin Oh I'm an XML lover. Can't give up on that! #ILoveXML