Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Filtering rules limitations (custom filter, user filter) #2392

Closed
ameshkov opened this issue Dec 18, 2018 · 2 comments

Comments

Projects
None yet
4 participants
@ameshkov
Copy link
Member

commented Dec 18, 2018

@ameshkov commented on Tue Dec 18 2018

  1. Custom filters must not support powerful modifiers ($replace and JS) unless they are explicitly enabled by the user filter (there should be a "Trusted" checkbox in the custom filter dialog)
  2. Change the CSS rules validation process and discard those with url in the style text

[ ] Trusted filter
Filters marked as trusted can use powerful filtering rules modifiers which can be dangerous in the wrong hands. Do not check this box unless you fully trust it.

Pre-installed filters are marked as trusted by default (as we perform validation on the server-side).

@ameshkov ameshkov added this to the 7.0 milestone Dec 18, 2018

@ameshkov ameshkov assigned northis and unassigned adbuker Jan 28, 2019

@northis

This comment has been minimized.

Copy link
Member

commented Jan 30, 2019

Resolved in pull-requests/283

@northis

This comment has been minimized.

Copy link
Member

commented Feb 8, 2019

To test:

  1. Ensure the new setting for each filter saves correctly.
  2. Ensure that third-party filters had untrusted state by default. Make them trusted and ensure AG save this state.
  3. Ensure that users' filters have trusted state.
  4. Check an untrusted filter's work with these $replace or url features - it cannot use them anymore.

@zzebrum zzebrum closed this May 22, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.