Skip to content
Snippets Groups Projects
  1. May 02, 2019
  2. Apr 27, 2019
    • Kalpit Kothari's avatar
      Fix xss vulnerability in origin save · 25af062c
      Kalpit Kothari authored
      Summary:
      Related T1690
      Added client side xss filter
      
      > Save code now is vulnerable to XSS attack.
      >
      > Steps to reproduce-
      >
      >     Remove the validation from client side (with dev tools)
      >     Enter this url in origin url
      >
      > https://github.com/%3Cscript%3Ealert(document.domain);%3C/script%3E
      >
      > We should add more validations at the server side to prevent such urls from entering into the database.
      
      For server side validations, I was thinking of preventing regex /.*(%3C).*(%3E)/ and /.*(javascript:).*/  There may be a few more cases we need to take care of.
      
      Or should we check if the url returns 200 or not before entering it to the table.
      
      Reviewers: #reviewers, anlambert
      
      Reviewed By: #reviewers, anlambert
      
      Subscribers: anlambert, vlorentz
      
      Differential Revision: https://forge.softwareheritage.org/D1433
      25af062c
  3. Apr 24, 2019
  4. Apr 23, 2019
  5. Apr 19, 2019
    • Antoine Lambert's avatar
      assets: XSS filtering improvements · 1cf93d82
      Antoine Lambert authored
        - put related code in a dedicated file
      
        - use a XSS filtering hook to fix some image relative src urls included in README
          HTML rendering (load image bytes from the archive content if available)
      
        - remove previoulsy introduced hacks in Python code as correct image loading in
          README HTML rendering is now handled client-side by the feature described above
      
      Related T1641
      1cf93d82
  6. Apr 18, 2019
  7. Apr 17, 2019
  8. Apr 15, 2019
  9. Apr 12, 2019
  10. Apr 10, 2019
  11. Apr 09, 2019
  12. Apr 05, 2019
  13. Apr 04, 2019
  14. Apr 03, 2019
  15. Apr 01, 2019
  16. Mar 30, 2019
  17. Mar 29, 2019
  18. Mar 27, 2019
  19. Mar 25, 2019
  20. Mar 15, 2019
Loading