Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Loading…

wiki: unsafe() diff html on conflict. #765

Closed
wants to merge 2 commits into from

3 participants

@andre-d

Fixes #755, was caused by a safety net put in place with 102ef36

@spladug
Owner

I'm not sure I understand a) what this is fixing, or b) how this doesn't just reintroduce the XSS?

@andre-d

The xss was on error messages displayed to the user, Ie. css errors. This fixes diff output (an html table generated in the backend) displaying the raw html rather than rendering. I can show you tomorrow if you wish.

@andre-d

Additionally, the css error xss was fixed by using .text(), so we have two layers of safety there.

https://github.com/reddit/reddit/blob/master/r2/r2/public/static/js/wiki.js#L117

@andre-d

Errrr, maybe it was in error 415, will look at that later. Either way, a different place, not the diff output, the diff output IS html.

@andre-d

:haircut:

Added a safety net fix for the xss.

r2/r2/public/static/js/wiki.js
@@ -106,7 +107,7 @@ r.wiki = {
,specials = special.children('#specials')
specials.empty()
for(i in errors) {
- specials.append(errors[i]+'<br/>')
+ specials.append($('<p/>').text(errors[i]))

No need for the closing slash in <p>

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
@chromakode

:nail_care: re: diff XSS, if this is getting generated by the same renderer as the template, it should be an equivalent risk to including it on the html diff pages. As long as that is safe, looks ok to me.

@andre-d

:haircut: Changed to just < p >

@andre-d andre-d closed this
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Commits on May 8, 2013
  1. @andre-d
Commits on May 9, 2013
  1. @andre-d
This page is out of date. Refresh to see the latest.
Showing with 3 additions and 2 deletions.
  1. +3 −2 r2/r2/public/static/js/wiki.js
View
5 r2/r2/public/static/js/wiki.js
@@ -95,8 +95,9 @@ r.wiki = {
409: function(xhr) {
var info = JSON.parse(xhr.responseText)
,content = $this.children('#wiki_page_content')
+ ,diff = conflict.children('#yourdiff')
conflict.children('#youredit').val(content.val())
- conflict.children('#yourdiff').html(info.diffcontent)
+ diff.html($.unsafe(info.diffcontent))
$this.children('#previous').val(info.newrevision)
content.val(info.newcontent)
conflict.fadeIn('slow')
@@ -106,7 +107,7 @@ r.wiki = {
,specials = special.children('#specials')
specials.empty()
for(i in errors) {
- specials.append(errors[i]+'<br/>')
+ specials.append($('<p>').text(errors[i]))
}
special.fadeIn('slow')
},
Something went wrong with that request. Please try again.