-
-
Notifications
You must be signed in to change notification settings - Fork 6.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix insufficient sanitization of report comments #17430
Conversation
7886afc
to
cf33760
Compare
The comments field already stripped out dangerous things (script / style / svg tags, anchors with href="javascript:", onError attributes on image tags, etc.). Was this change just security hardening, or did it fix an actual vulnerability? |
This did fix a minor security issue, but you are right that the most dangerous things would be sanitized away by Rails (and also be disallowed by Mastodon's default Content-Security Policy). |
* stable-3.4: (666 commits) Fix insufficient sanitization of report comments (mastodon#17430) Bump version to 3.4.6 disable legacy XSS filtering (mastodon#17289) Change mastodon:webpush:generate_vapid_key task to not require functional env (mastodon#17338) Fix response_to_recipient? CTE Fix insufficient sanitization of report comments Fix compacted JSON-LD possibly causing compatibility issues on forwarding Compact JSON-LD signed incoming activities Fix error-prone SQL queries (mastodon#15828) Fix spurious errors when receiving an Add activity for a private post (mastodon#17425) Bump version to 3.4.5 Add more advanced migration tests (mastodon#17393) Fix followers synchronization mechanism not working when URI has empty path (mastodon#16510) Add manual GitHub Actions runs (mastodon#17000) Change workflow to push to Docker Hub (mastodon#16980) Build container image by GitHub Actions (mastodon#16973) Bump ruby-saml from 1.11.0 to 1.13.0 (mastodon#16723) Save bundle config as local (mastodon#17188) Fix edge case in migration helpers that caused crash because of PostgreSQL quirks (mastodon#17398) Fix some old migration scripts (mastodon#17394) ... # Conflicts: # .github/workflows/build-image.yml # CHANGELOG.md # Dockerfile # Gemfile.lock # app/lib/activitypub/activity/announce.rb # app/lib/activitypub/activity/create.rb # app/models/account.rb # chart/values.yaml # config/brakeman.ignore # config/environments/production.rb # config/locales/ja.yml # config/locales/simple_form.ja.yml # docker-compose.yml # lib/mastodon/maintenance_cli.rb # lib/mastodon/migration_helpers.rb # lib/mastodon/version.rb # lib/terrapin/multi_pipe_extensions.rb # yarn.lock
No description provided.