Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Protect against XSS vulnerabilities in URL redirection #16

Merged
merged 1 commit into from Jan 2, 2019

Conversation

jthiltges
Copy link
Contributor

  • Switch from base64 to URL encoding for the passing the URL, using the built-in Mako filtering
  • Apply HTML filtering to Mako output by default
  • Disable HTML filtering for nested templates in adduser, modify, and selfmodify

- Switch from base64 to URL encoding for the passing the URL, using the built-in Mako filtering
- Apply HTML filtering to Mako output by default
- Disable HTML filtering for nested templates in adduser, modify, and selfmodify
@coveralls
Copy link

Coverage Status

Coverage remained the same at ?% when pulling 6f98076 on jthiltges:escape into 1ed654c on kakwa:master.

@kakwa
Copy link
Owner

kakwa commented Jan 2, 2019

Thank you for reporting.

I completely missed this redirect as an untrusted user input. Thank you for the fix.

I do test against a list of "naughty" strings (

def testNaughtyStrings(self):
) but it proved to be not enough.

And thank you for the overall improvements using the mako escaping, this will help greatly to reduce the risk of content injection, adding a layer of protection.

@kakwa kakwa merged commit 636400b into kakwa:master Jan 2, 2019
@jthiltges
Copy link
Contributor Author

Thanks so much for your help and the prompt merge!

@jthiltges jthiltges deleted the escape branch January 3, 2019 17:57
@kakwa
Copy link
Owner

kakwa commented Jan 3, 2019 via email

@jthiltges
Copy link
Contributor Author

jthiltges commented Jan 3, 2019

I'm updating our install and just noticed an issue with escaping on the selfmodify and modify pages. Sorry about that. I'll get a new PR opened shortly.

  <select class="form-control" id="attr.shell" name="attr.shell">
        &lt;option&gt;/bin/bash&lt;/option&gt;
        <option>/bin/tcsh</option>
  </select>

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

3 participants