Files
@ c9159e6fda04
Branch filter:
Location: kallithea/docs/usage/debugging.rst
c9159e6fda04
1.2 KiB
text/prs.fallenstein.rst
cleanup: remove unnecessary (and potentially problematic) use of 'literal'
webhelpers.html.literal (kallithea.lib.helpers.literal) is only needed when
the passed string may contain HTML that needs to be interpreted literally.
It is unnecessary for plain strings.
Incorrect usage of literal can lead to XSS issues, via a malicious user
controlling data which will be rendered in other users' browsers. The data
could either be stored previously in the system or be part of a forged URL
the victim clicks on.
For example, when a user browses to a forged URL where a repository
changeset or branch name contains a javascript snippet, the snippet
was executed when printed on the page using 'literal'.
Remaining uses of 'literal' have been reviewed with no apparent problems
found.
Reported by Bob Hogg <wombat@rwhogg.site> (thanks!).
webhelpers.html.literal (kallithea.lib.helpers.literal) is only needed when
the passed string may contain HTML that needs to be interpreted literally.
It is unnecessary for plain strings.
Incorrect usage of literal can lead to XSS issues, via a malicious user
controlling data which will be rendered in other users' browsers. The data
could either be stored previously in the system or be part of a forged URL
the victim clicks on.
For example, when a user browses to a forged URL where a repository
changeset or branch name contains a javascript snippet, the snippet
was executed when printed on the page using 'literal'.
Remaining uses of 'literal' have been reviewed with no apparent problems
found.
Reported by Bob Hogg <wombat@rwhogg.site> (thanks!).