Strip tags to sanitize input in User profile #42
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Strip tags to sanitize input in User profile and in Tags & Comments. I had a mail from etat.ge.ch audit firm that reports these as XSS injection risk in their automated exam.
|
Striptags() is not enough. HTMLPurifier must be used. I'll add that shortly. |
|
Hi, JavaScript is already removed (tested) but simple tags , ... are kept without attributes. Gautier |
|
What is the problem then? |
|
Sorry, easier to understand :
“Those tags are still displayed everywhere (dropdown user menu, bottom bar
in Providence for user name, within the tags or comments…) ; and not
tested, but tags may be cutted with a comma within some tags :-(“
Le ven. 17 juin 2022 à 14:19, Gautier Michelin ***@***.***>
a écrit :
Hi Seth or CA team,
Those tags are still displayed everywhere (dropdown user menu, bottom bar
in Providence for user name, within the tags are commands…), and not
tested, but tags may be cutted with a comma within some tags :-(
For me, it’s more a question than etat.ge.ch their tool will continue to
report false XSS injection risks (you’ll risk having such demand from other
users too) why not simple strip_tags ?
Best,
Gautier
Le ven. 17 juin 2022 à 14:13, CollectiveAccess ***@***.***>
a écrit :
> What is the problem then?
>
> —
> Reply to this email directly, view it on GitHub
> <#42 (comment)>,
> or unsubscribe
> <https://github.com/notifications/unsubscribe-auth/AACM2SM6JYTMXLBHZGT36ELVPRTXRANCNFSM5ZBY3R2Q>
> .
> You are receiving this because you authored the thread.Message ID:
> ***@***.***>
>
--
Gautier MICHELIN
--
Gautier MICHELIN
|
|
Is this an XSS risk? Or just a formatting issue? |
|
I'm going to merge this, as regardless there's no reason for HTML tags to be in there. |
|
I'm just answering your question. For me, formatting isn't needed in these. As you can add tags here, it's reported as a risk with certains (at least one) automated XSS report tool. Let's remove this false positive. Thanks for having merged this PR, best to all team member |
|
Hi Seth or CA team,
Those tags are still displayed everywhere (dropdown user menu, bottom bar
in Providence for user name, within the tags are commands…), and not
tested, but tags may be cutted with a comma within some tags :-(
For me, it’s more a question than etat.ge.ch their tool will continue to
report false XSS injection risks (you’ll risk having such demand from other
users too) why not simple strip_tags ?
Best,
Gautier
Le ven. 17 juin 2022 à 14:13, CollectiveAccess ***@***.***> a
écrit :
What is the problem then?
—
Reply to this email directly, view it on GitHub
<#42 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AACM2SM6JYTMXLBHZGT36ELVPRTXRANCNFSM5ZBY3R2Q>
.
You are receiving this because you authored the thread.Message ID:
***@***.***>
--
Gautier MICHELIN
|
|
Ok sure let's do that then. Can you make a new PR for both master and develop? thanks |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Strip tags to sanitize input in User profile and in Tags & Comments.
I had a mail from etat.ge.ch audit firm that reports these as XSS injection risk in their automated exam.