Whitelist classes for HTML elements in statuses #3790

duxovni · 2017-06-16T04:55:04Z

It's currently possible for a malicious OStatus server to send statuses that spoof parts of Mastodon's UI without violating the constraints of sanitize_config.rb:

<p>lewd <a class="status__content__spoiler-link" href="http://malware.ru/">Show more</a></p>

I searched or browsed the repo’s other issues to ensure this is not a duplicate.
This bug happens on a tagged release and not on master (If you're a user, don't worry about this).

The text was updated successfully, but these errors were encountered:

unarist · 2017-06-16T14:14:08Z

Note that similar appearance can be achieved with class attribute on span element, which available before my pull request:

<p>lewd <a href="http://malware.ru/"><span class="status__content__spoiler-link">Show more</span></a></p>

Also we can embed fake link without any class attributes:

<a href="http://malware.ru/">mastodon.social/media/bPR7ghQ...</a>

nolanlawson · 2017-06-16T17:27:29Z

Is this also the source of the "spinning" spans? I believe I saw something like <span class="fa fa-spin"></span> to achieve this.

duxovni · 2017-06-16T19:29:26Z

Yes, that's also a result of allowing arbitrary classes in statuses; it takes advantage of FontAwesome's "spinning icons" functionality.

nightpool · 2017-06-16T21:30:06Z

I'm working on a patch for this.

Allowed classes are currently: - Any microformats class (h/p/u/dt/e-*) - the classes mention, hashtag, ellipses and invisible. this last one is somewhat suspect, but Mastodon currently uses it to render hidden link text. resolved mastodon#3790

* Whitelist allowed classes for federated statuses Allowed classes are currently: - Any microformats class (h/p/u/dt/e-*) - the classes mention, hashtag, ellipses and invisible. this last one is somewhat suspect, but Mastodon currently uses it to render hidden link text. resolved #3790 * Fix code style

duxovni · 2017-06-17T19:31:13Z

Thanks @nightpool! This patch fixes the UI spoofing, but @unarist raised a very good point about fake links which is still unaddressed. I'll open it as a separate issue.

* Whitelist allowed classes for federated statuses Allowed classes are currently: - Any microformats class (h/p/u/dt/e-*) - the classes mention, hashtag, ellipses and invisible. this last one is somewhat suspect, but Mastodon currently uses it to render hidden link text. resolved mastodon#3790 * Fix code style

clworld mentioned this issue Jun 16, 2017

Allow "class" attribute on the "a" tag in sanitization #3623

Merged

clworld added security Security issues and fixes, vulnerabilities and removed security Security issues and fixes, vulnerabilities labels Jun 16, 2017

nolanlawson added bug Something isn't working compatibility labels Jun 16, 2017

nightpool mentioned this issue Jun 16, 2017

Whitelist allowed classes for federated statuses #3810

Merged

Gargron closed this as completed in #3810 Jun 17, 2017

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Whitelist classes for HTML elements in statuses #3790

Whitelist classes for HTML elements in statuses #3790

duxovni commented Jun 16, 2017

unarist commented Jun 16, 2017 •

edited

nolanlawson commented Jun 16, 2017

duxovni commented Jun 16, 2017

nightpool commented Jun 16, 2017

duxovni commented Jun 17, 2017

Whitelist classes for HTML elements in statuses #3790

Whitelist classes for HTML elements in statuses #3790

Comments

duxovni commented Jun 16, 2017

unarist commented Jun 16, 2017 • edited

nolanlawson commented Jun 16, 2017

duxovni commented Jun 16, 2017

nightpool commented Jun 16, 2017

duxovni commented Jun 17, 2017

unarist commented Jun 16, 2017 •

edited