Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improve HTML escaping helper #12383

Merged
merged 2 commits into from
Jul 31, 2020
Merged

Improve HTML escaping helper #12383

merged 2 commits into from
Jul 31, 2020

Conversation

silverwind
Copy link
Member

@silverwind silverwind commented Jul 30, 2020
edited
Loading

The previous method did not escape single quotes which under some circumstances can lead to XSS vulnerabilites and the fact that it depends on jQuery is also not ideal. Replace it with a lightweight module.

@silverwind silverwind changed the title Use escape-goat to escape HTML Improve HTML escaping helper Jul 30, 2020
zeripath
zeripath approved these changes Jul 30, 2020
View reviewed changes
Copy link
Contributor

@zeripath zeripath left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems off that we have to write this ourselves.

@GiteaBot GiteaBot added the lgtm/need 1 This PR needs approval from one additional maintainer to be merged. label Jul 30, 2020
@techknowlogick techknowlogick added this to the 1.13.0 milestone Jul 30, 2020
@silverwind
Copy link
Member Author

silverwind commented Jul 30, 2020
edited
Loading

I initially wanted to use https://github.com/sindresorhus/escape-goat but that module got some bloat recently so I decided to just copy the function from there. Not like this will ever change.

@GiteaBot GiteaBot added lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. and removed lgtm/need 1 This PR needs approval from one additional maintainer to be merged. labels Jul 30, 2020
@silverwind
Improve HTML escaping helper
6c2ecac 
The previous method did not escape single quotes which under some
circumstances can lead to XSS vulnerabilites and the fact that it
depends on jQuery is also not ideal. Replace it with a lightweight
module.
@silverwind
Copy link
Member Author

silverwind commented Jul 30, 2020
edited
Loading

Switched to the module again. With webpack's tree-shaking the unused parts will not be included in the output. The tagged template versions may also be useful at some point.

@techknowlogick
Copy link
Member

🚀

@techknowlogick techknowlogick merged commit 11dcc17 into go-gitea:master Jul 31, 2020
@silverwind
Copy link
Member Author

I don't think this will need a backport. There's probably no XSS possible in the existing usage, so this is more of a refactor.

@silverwind silverwind deleted the escape-goat branch July 31, 2020 06:49
6543 added a commit to adelowo/gitea that referenced this pull request Aug 1, 2020
@6543
addapt go-gitea#12383
3519413
@6543 6543 mentioned this pull request Aug 1, 2020
Merged
13 tasks
@zeripath
Copy link
Contributor

Do we think this needs backporting?

@silverwind
Copy link
Member Author

While I don't think it's really necessary, we can do it of course just to be safe from theoretical single-quote issues.

@silverwind silverwind mentioned this pull request Aug 22, 2020
Merged
@silverwind
Copy link
Member Author

#12562

@zeripath zeripath added the backport/done All backports for this PR have been created label Aug 22, 2020
@go-gitea go-gitea locked and limited conversation to collaborators Nov 24, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@mrsdizzie mrsdizzie mrsdizzie approved these changes

@zeripath zeripath zeripath approved these changes

Assignees
No one assigned
Labels
backport/done All backports for this PR have been created lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. type/bug
Projects
None yet
Milestone
1.13.0
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@silverwind @techknowlogick @zeripath @mrsdizzie @GiteaBot