Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Here's a rather interesting bug I found with the the help of american fuzzy lop. Stick the following into a view and observe an XSS:
@user\xF4<b>xss\xFA</b>
and"url":/page\xF4">x\xFA<b>xss\xFA</b>
are similar exploits.The issue is that
g_markup_escape_text
is used for escaping html, but this function assumes the input is valid utf8. When given invalid utf8 it goes haywire. Specifically,\xFA
is an invalid leading byte, which seems to cause the function to copy the next few bytes unescaped until it resynchronizes with the utf8 stream.The fix I went with is to raise an exception if the input isn't valid utf8. I also removed some stuff that tries to handle nulls since
g_validate_utf8
forbids those too. AFAICT the purpose of this code was to close any unclosed tags when EOF is reached, but that's redundant sinceparse_helper
callsdstack_close
anyway.In practice, postgres doesn't allow text fields to contain invalid utf8 or nulls to begin with, so in the real world this doesn't seem possible to trigger.