phryk-evil-mad-sciences-llc/poobrains
1
0
Fork 0
Code Issues 37 Pull Requests Projects Releases Wiki Activity

Make Markdown safe #21

New Issue
Open
opened 2020-06-14 18:53:45 +00:00 by phryk · 0 comments
phryk commented 2020-06-14 18:53:45 +00:00 (Migrated from rnd.phryk.net)
Copy Link

Currently any md.MarkdownField is an open invitation for XSS.
This should be fixed, even though none of those are exposed to
users who aren't logged in and have permission to add/edit
Storables with MarkdownFields.

Far as we know, md.MarkdownString is the only way markdown is currently used.
This means this is a central place where we can do cleanup of the input string.
markupsafe.Markup offers some nice functions like escape and strip_tags
for this. We might want to have a whitelist of allowed tags.

Currently any `md.MarkdownField` is an open invitation for XSS. This should be fixed, even though none of those are exposed to users who aren't logged in and have permission to add/edit `Storable`s with `MarkdownField`s. Far as we know, `md.MarkdownString` is the only way markdown is currently used. This means this is a central place where we can do cleanup of the input string. `markupsafe.Markup` offers some nice functions like `escape` and `strip_tags` for this. We might want to have a whitelist of allowed tags.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels   
ANA

Data analysis

  
BUG

Bug

  
CSS

[S]CSS

  
DOC

Documentation; Content – for the rendering system, see 'doc'

  
DX

Developer eXperience

  
ECO

Ecological sustainability

  
FET

Feature request

  
GFX

Graphics work. Icons and such.

  
PRO

Propaganda, Marketing, Building An Audience – call it what you will

  
SEC

Security

  
TPL

Templates; poobrains/theme/default – for theming issues, see 'rendering'

  
UX

User eXperience

  
VIS

Data visualization

  
analysis

analysis subsystem; poobrains.analysis

  
analysis.data

poobrains analysis data component; poobrains.analysis.data

  
analysis.editor

Data editor; poobrains.analysis.editor

  
analysis.util

analysis utilities; poobrains.analysis.util

  
analysis.visualization

data visualization; poobrains.analysis.visualization

  
auth

Authentication & Authorization system; poobrains.auth

  
cli

Command Line Interface; poobrains.cli

  
core

Core; Every piece of python code that's not part of a distinct subsystem

  
doc

Documentation rendering system; poobrains.doc – for content use 'DOC'

  
form

Forms system; poobrains.form

  
mailing

Mail system; poobrains.mailing

  
md

Markdown integration; poobrains.md

  
rendering

Rendering system; poobrains.rendering

  
storage

Storage system; poobrains.storage

  
svg

SVG system; poobrains.svg

  
svg.color

Color; poobrains.svg.color

  
svg.palettes

procedural palettes; poobrains.svg.palettes

  
testing

Testing system; poobrains.testing

No Label
ANA
BUG
CSS
DOC
DX
ECO
FET
GFX
PRO
SEC
TPL
UX
VIS
analysis
analysis.data
analysis.editor
analysis.util
analysis.visualization
auth
cli
core
doc
form
mailing
md
rendering
storage
svg
svg.color
svg.palettes
testing
Milestone
Clear milestone
No items
No Milestone
0.0.0.0-alpha
Projects
Clear projects
No project
Assignees
Clear assignees
No Assignees
1 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: phryk-evil-mad-sciences-llc/poobrains#21
No description provided.
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?