safeHTML use should be avoided #134
Labels
enhancement
New feature or request
Milestone
Comments
|
I could create a pull request covering most of the necessary changes (the ones that I can test) if you are ok with that. |
|
Yes, absolutely welcome! I realized this problem after I finished this theme, but I was too lazy to check them one by one. Feel free to fix these |
reuixiy
added a commit
that referenced
this issue
May 14, 2020
Fixes #134. * Simplify post-meta.html template logic * Fixed indentation in previous commit * Use icon.html template for zodiac icons in lists * Remove unnecessary safeHTML usage in footer.html (busuanzi functionality unchanged, cannot test) * Improved previous commit, no unnecessary markup for the copyright symbol * Remove unnecessary safeHTML usage in style.html * Use icon.html partial in the header * Remove unnecesary safeHTML usage in script.html * Removed unnecessary safeHTML usage in menu.html * Remove unnecessary safeHTML use in header.html * Use icon.html partial in back-to-top and port-share components * Use icon.html partial in related-posts and socials components * Remove unnecessary safeHTML use in feed generation * Simplify minimal-footer-about component * Removed safeHTML usage from post-updated-badge component * Remove unnecessary safeHTML usage in post-copyright component * Remove unnecessary safeHTML usage in post-nav component * Simplify minimal-footer component and remove safeHTML usage * Simplify post-tags component and remove safeHTML usage * Made summary.html produce its result directly rather than via scratch, removed unnecessary safeHTML usage in home-posts.html * Use icon.html partial on home-footage page * Remove unnecessary safeHTML usage on post.html page * Remove unnecessary safeHTML usage on home-poetry.html page * Remove unnecessary safeHTML usage from OpenGraph data * Remove unnecessary safeHTML usage from utils/list-item.html * Improve image autodetection regex and remove unnecessary unsafeHTML usage in images.html * Remove unnecessary safeHTML usage from relative-url.html * Remove unnecessary safeHTML usage in content.html * Revert image auto-detection changes, these aren't useful * Delete the missing line in post-share * Revert to using urls.Parse on tag and category names passed to .GetPage again * Fix error caused by wrong context in list.html * Replace hyphen with en dash * Remove unnecessary safeHTML usage in post-gitinfo.html * Remove unnecessary safeHTML usage of busuanzi in footer.html Co-authored-by: reuixiy <reuixiy@gmail.com>
ulmefors
pushed a commit
to ulmefors/hugo-theme-meme
that referenced
this issue
Nov 22, 2020
Fixes reuixiy#134. * Simplify post-meta.html template logic * Fixed indentation in previous commit * Use icon.html template for zodiac icons in lists * Remove unnecessary safeHTML usage in footer.html (busuanzi functionality unchanged, cannot test) * Improved previous commit, no unnecessary markup for the copyright symbol * Remove unnecessary safeHTML usage in style.html * Use icon.html partial in the header * Remove unnecesary safeHTML usage in script.html * Removed unnecessary safeHTML usage in menu.html * Remove unnecessary safeHTML use in header.html * Use icon.html partial in back-to-top and port-share components * Use icon.html partial in related-posts and socials components * Remove unnecessary safeHTML use in feed generation * Simplify minimal-footer-about component * Removed safeHTML usage from post-updated-badge component * Remove unnecessary safeHTML usage in post-copyright component * Remove unnecessary safeHTML usage in post-nav component * Simplify minimal-footer component and remove safeHTML usage * Simplify post-tags component and remove safeHTML usage * Made summary.html produce its result directly rather than via scratch, removed unnecessary safeHTML usage in home-posts.html * Use icon.html partial on home-footage page * Remove unnecessary safeHTML usage on post.html page * Remove unnecessary safeHTML usage on home-poetry.html page * Remove unnecessary safeHTML usage from OpenGraph data * Remove unnecessary safeHTML usage from utils/list-item.html * Improve image autodetection regex and remove unnecessary unsafeHTML usage in images.html * Remove unnecessary safeHTML usage from relative-url.html * Remove unnecessary safeHTML usage in content.html * Revert image auto-detection changes, these aren't useful * Delete the missing line in post-share * Revert to using urls.Parse on tag and category names passed to .GetPage again * Fix error caused by wrong context in list.html * Replace hyphen with en dash * Remove unnecessary safeHTML usage in post-gitinfo.html * Remove unnecessary safeHTML usage of busuanzi in footer.html Co-authored-by: reuixiy <reuixiy@gmail.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The theme currently uses
safeHTMLfunction a lot. This is very undesirable security-wise, and it is hard to verify that no XSS-vulnerabilities are introduced here. With merely fewsafeHTMLcalls reviewing its security implications would be much simpler.For example in
post-meta.html:This should be:
That's both safer (
safeHTMLapplied only to the icon where it makes sense) and more readable. In fact, it might be a good idea to create a template for icons, so thatsafeHTMLcan be applied to icons in that one place only (as an added bonus, this template could replace the icon class as well).Or in
footer.html:Here
safeHTMLshould be removed becausemarkdownify.htmlalready applies it (either directly, or viamarkdownifyfunction).The text was updated successfully, but these errors were encountered: