Conversation:

Notices

1. Adam Moore (LÆMEUR) (laemeur)'s status on Friday, 29-Jan-2016 17:07:19 EST Adam Moore (LÆMEUR)

   Remote profile options...
   !gnusocial — I posted some Javascript via the AtomPub API and the server didn't seem to mind. The good news is that when I saw the notice on LoadAverage and the Quitters, the script tags had been stripped — I don't know if that happened when the notice was federated, or whether the UIs on those sites did it — but here on !SDF (we're running the classic UI), the code ran. That's probably not good.
   • MMN-o ✅⃠ (mmn)'s status on Friday, 29-Jan-2016 17:36:23 EST MMN-o ✅⃠

     Remote profile options...

     • Adam Moore (LÆMEUR)
     @laemeur 'ang on, that should be put through htmlspecialchars. I'll fix this as soon as I get home if it's my fault. I've usually been good at escaping (especially telling others to do so!). So embarrasing .)
   • MMN-o ✅⃠ (mmn)'s status on Friday, 29-Jan-2016 17:39:47 EST MMN-o ✅⃠

     Remote profile options...

     • Adam Moore (LÆMEUR)
     @laemeur but I think I know why (before looking at code). The atompub api probably relied on a purifier in Notice::saveNew but since I've switched to Notice::saveActivity it (recently) started trusting the input to that function (so plugins/api are responsible to purify). And I just never added that check to AtomPub.
   • MMN-o ✅⃠ (mmn)'s status on Friday, 29-Jan-2016 17:40:20 EST MMN-o ✅⃠

     Remote profile options...

     • Adam Moore (LÆMEUR)
     @laemeur good thibg that noone uses tge atompub api! Haw haw
   • MMN-o ✅⃠ (mmn)'s status on Friday, 29-Jan-2016 18:07:38 EST MMN-o ✅⃠

     Remote profile options...

     • Adam Moore (LÆMEUR)
     @laemeur https://git.gnu.io/gnu/gnu-social/commit/5167b1fa408aa486ad75c8ddd3c71cb568dc84a3
     Please make sure I didn't break anything else ;)
     
     common_purify removes bad stuff. Including <img> <video> and <audio>! And any style attributes to HTML elements. And a bunch of other evil stuff.
   • MMN-o ✅⃠ (mmn)'s status on Friday, 29-Jan-2016 18:08:21 EST MMN-o ✅⃠

     Remote profile options...
     @mmn That previous post could make people think I was drunk, but it was just an OSD keyboard.
   • التنينوكس (dragnucs)'s status on Saturday, 30-Jan-2016 07:35:59 EST التنينوكس

     Remote profile options...

     • Adam Moore (LÆMEUR)
     @laemeur There was an XSS vulnerability in older !gnusocial version that was fixed.
   • MMN-o ✅⃠ (mmn)'s status on Saturday, 30-Jan-2016 10:02:00 EST MMN-o ✅⃠

     Remote profile options...

     • Navigium
     @navigium The #AtomPub input was actually filtered before, but a recent commit removed that accidentally (because I assumed it was "purified" before entering that function). That change has now been reverted. Also, it only affected the AtomPub API (afaik, but I'm reasonably sure :P) during that short period.
     
     But yeah, all !gnusocial users are recommended to update (both master and nightly branches).
   • MMN-o ✅⃠ (mmn)'s status on Saturday, 30-Jan-2016 11:01:57 EST MMN-o ✅⃠

     Remote profile options...

     • n2admin
     @n2admin Oh I'm an XML lover. Can't give up on that! #ILoveXML