Sanitize html #3708
Sanitize html #3708
Conversation
|
I'm not very familiar with ammonia, but it seems like it doesn't completely remove html. Just trying say that "make cross-site scripting attacks completely impossible" is a big statement, which might give a false sense of security. |
|
I agree with solid-snail. This PR doesn't perfectly solve the problem. There's places where the user should be able to pass (sane) HTML/ markdown like CreateCommentReport.reason, and there's places where the user should only be able to pass plain text, like lang.password_reset_body(username). In the first case, ammonia could be used, in the second case, all HTML should be escaped, like @solid-snail added in #3720. Otherwise, you can still probably inject non-script HTML like phishing links into the email body. |
|
This is a good start: if we find cases where HTML shouldn't be sanitized for some reason, or places where ammonia doesn't properly sanitize where it should, then we can do more PRs in the future. Seems to be failing cargo fmt. |
|
CI is passing now. Maybe I was too optimistic, but even if its not perfect this is still a major improvement. We can improve security further in future PRs. Edit: added commit to forbit |
* HTML sanitization in apub code * Sanitize API inputs * fmt * Dont allow html a, img tags --------- Co-authored-by: Dessalines <dessalines@users.noreply.github.com>
|
looks like this needs some refining: its eating > quote tags. https://lemmy.ml/post/2527005 . they're getting stored as > in the database which makes me think its this |
|
Yes, I ran across it while reading the test cases in Ammonia's source code. When there are unmatched |
|
markdown comments didn't cross my mind at the time, sorry about that. |
|
Thanks for reporting this, I opened #3749 to fix it. |
Use ammonia crate to sanitize malicious HTML from all string inputs, both via api and federation. This will make cross-site scripting attacks completely impossible.