New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Whitelist classes for HTML elements in statuses #3790
Comments
Note that similar appearance can be achieved with
Also we can embed fake link without any
|
Is this also the source of the "spinning" spans? I believe I saw something like |
Yes, that's also a result of allowing arbitrary classes in statuses; it takes advantage of FontAwesome's "spinning icons" functionality. |
I'm working on a patch for this. |
Allowed classes are currently: - Any microformats class (h/p/u/dt/e-*) - the classes mention, hashtag, ellipses and invisible. this last one is somewhat suspect, but Mastodon currently uses it to render hidden link text. resolved mastodon#3790
* Whitelist allowed classes for federated statuses Allowed classes are currently: - Any microformats class (h/p/u/dt/e-*) - the classes mention, hashtag, ellipses and invisible. this last one is somewhat suspect, but Mastodon currently uses it to render hidden link text. resolved #3790 * Fix code style
Thanks @nightpool! This patch fixes the UI spoofing, but @unarist raised a very good point about fake links which is still unaddressed. I'll open it as a separate issue. |
* Whitelist allowed classes for federated statuses Allowed classes are currently: - Any microformats class (h/p/u/dt/e-*) - the classes mention, hashtag, ellipses and invisible. this last one is somewhat suspect, but Mastodon currently uses it to render hidden link text. resolved mastodon#3790 * Fix code style
It's currently possible for a malicious OStatus server to send statuses that spoof parts of Mastodon's UI without violating the constraints of
sanitize_config.rb
:master
(If you're a user, don't worry about this).The text was updated successfully, but these errors were encountered: