External cal events containing HTML are not parsed #76
Labels
Milestone
Comments
NovaFox161
added
bug
area/web
|
This will be fixed by using jsoup and parsing out the HTML (except for safe tags) for the web page and when returning in the API. Internally, we will strip the HTML completely, and replace safe tags with the equivalent markdown code. I'd like to fit this into 4.1.0, but might have to push this to the next release after that, where I want to work on abstracting out a lot of the API so that 99% of the code base doesn't actually touch google making it easier to integrate into other services such as Apple calendar, ical, Outlook, etc. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Who is the bug affecting?
Users viewing events in servers that use external calendars and have HTML in their events.
What is affected by this bug?
bot, possibly website, anywhere that displays event content (if website, could potentially lead to XSS)
When does this occur?
Anytime one views and event that contains HTML content
Where on the platform does it happen?
Event view dialogs, potentially announcements and anywhere on the website that shows event content.
How do we replicate the issue?
Have an event that contains HTML content and is then displayed by the bot.
Expected behavior (i.e. solution)
HTML content should be stripped and safe HTML (line breaks, italics, href, etc) should be parsed and displayed safely.
Other Comments
First reported by Danny H on discord.
The text was updated successfully, but these errors were encountered: