Fix XSS issue on qute://history

Fixes #4011 (cherry picked from commit 5a7869f)
qutebrowser · Jun 21, 2018 · 4c93602 · 4c93602 · The-Compiler · Jun 26, 2018
1 parent 1053873
commit 4c93602
Show file tree

Hide file tree

Showing 3 changed files with 19 additions and 2 deletions.
diff --git a/qutebrowser/browser/qutescheme.py b/qutebrowser/browser/qutescheme.py
@@ -24,6 +24,7 @@
     _HANDLERS: The handlers registered via decorators.
 """
 
+import html
 import json
 import os
 import time
@@ -241,8 +242,9 @@ def history_data(start_time, offset=None):
         end_time = start_time - 24*60*60
         entries = hist.entries_between(end_time, start_time)
 
-    return [{"url": e.url, "title": e.title or e.url, "time": e.atime}
-            for e in entries]
+    return [{"url": html.escape(e.url),
+             "title": html.escape(e.title) or html.escape(e.url),
+             "time": e.atime} for e in entries]
 
 
 @add_handler('history')

diff --git a/tests/end2end/data/issue4011.html b/tests/end2end/data/issue4011.html
@@ -0,0 +1,10 @@
+<!DOCTYPE html>
+<html>
+    <head>
+        <meta charset="utf-8">
+        <title>&lt;img src=&quot;x&quot; onerror=&quot;console.log('XSS')&quot;&gt;foo</title>
+    </head>
+    <body>
+        foo
+    </body>
+</html>
diff --git a/tests/end2end/features/history.feature b/tests/end2end/features/history.feature
@@ -111,3 +111,8 @@ Feature: Page history
         And I wait until qute://history is loaded
         Then the page should contain the plaintext "3.txt"
         Then the page should contain the plaintext "4.txt"
+
+    Scenario: XSS in :history
+        When I open data/issue4011.html
+        And I open qute://history
+        Then the javascript message "XSS" should not be logged