Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

text_view renders html markup #5814

Closed
pazepaze opened this issue Jan 7, 2021 · 0 comments · Fixed by #5815
Closed

text_view renders html markup #5814

pazepaze opened this issue Jan 7, 2021 · 0 comments · Fixed by #5815
Assignees
@wardi

Comments

@pazepaze
Copy link
Contributor

pazepaze commented Jan 7, 2021

CKAN version 2.9.1

Describe the bug
The text_view renders html elements if they occur in a text file.

Steps to reproduce
Create resource and upload the following text file:

foo.txt with content

<input type="text"/>

The text view actually displays this as an input field:
image

Expected behavior
Text view just renders everything as plain text

Additional details
I didn't test what else can be injected that way. Could this even allow XSS attacks?
@wardi wardi self-assigned this Jan 7, 2021
wardi added a commit that referenced this issue Jan 7, 2021
@wardi
[#5814] textview: escape text formats
56a46b8
@wardi wardi mentioned this issue Jan 7, 2021
Merged
5 tasks
wardi added a commit that referenced this issue Jan 16, 2021
@wardi @Zharktas
[#5814] use jquery .text() instead of textarea.textContent
c52058e 
Co-authored-by: Jari Voutilainen <jari.voutilainen@iki.fi>
Zharktas added a commit that referenced this issue Jan 18, 2021
@Zharktas
Merge pull request #5815 from ckan/5814-textview-escape
4e639b0 
[#5814] textview: escape text formats
amercader pushed a commit that referenced this issue Jan 28, 2021
@wardi @amercader
[#5814] textview: escape text formats
67cc208
amercader pushed a commit that referenced this issue Jan 28, 2021
@wardi @Zharktas @amercader
[#5814] use jquery .text() instead of textarea.textContent
4507cea 
Co-authored-by: Jari Voutilainen <jari.voutilainen@iki.fi>
amercader pushed a commit that referenced this issue Jan 28, 2021
@wardi @amercader
[#5814] textview: escape text formats
45eec94
amercader pushed a commit that referenced this issue Jan 28, 2021
@wardi @Zharktas @amercader
[#5814] use jquery .text() instead of textarea.textContent
49228ce 
Co-authored-by: Jari Voutilainen <jari.voutilainen@iki.fi>
amercader pushed a commit that referenced this issue Jan 28, 2021
@wardi @amercader
[#5814] textview: escape text formats
8530ab9
amercader pushed a commit that referenced this issue Jan 28, 2021
@wardi @Zharktas @amercader
[#5814] use jquery .text() instead of textarea.textContent
6abf208 
Co-authored-by: Jari Voutilainen <jari.voutilainen@iki.fi>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@wardi wardi

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[#5814] textview: escape text formats ckan/ckan
2 participants
@wardi @pazepaze