-
-
Notifications
You must be signed in to change notification settings - Fork 365
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
(Update) Remove XSS cleaner and remove XSS vulnerabilities #3222
base: 8.x.x
Are you sure you want to change the base?
Conversation
This is the definition of an open redirect vulnerability which is unacceptable and will require rethinking. |
89670bd
to
994edc7
Compare
PR Summary
|
994edc7
to
8903111
Compare
Open redirect vulnerabilities are only valid for links ( |
a852f82
to
8ab3967
Compare
8ab3967
to
c8622fa
Compare
c8622fa
to
52416d7
Compare
We've been mostly relying on the 3rd party xss cleaner to make sure user submitted content is clean. This PR fixes up any leftover holes in the bbcode parser that allow xss vulnerabilities, and as a result, the 3rd party library isn't needed anymore. It cleans responsibly by first, running `htmlspecialchars()` over the content, followed by validating any untrusted input used inside html attributes. It validates urls by returning them as redirects relying on the browser not supporting executable protocols (like `javascript:`).
52416d7
to
edbc86d
Compare
We've been mostly relying on the 3rd party xss cleaner to make sure user submitted content is clean. This PR fixes up any leftover holes in the bbcode parser that allow xss vulnerabilities, and as a result, the 3rd party library isn't needed anymore. It cleans responsibly by first, running
htmlspecialchars()
over the content, followed by validating any untrusted input used inside html attributes. It validates urls by returning them as redirects relying on the browser not supporting executable protocols (likejavascript:
).