[Commits] [wesnoth/wesnoth] 4d5a4f: wmlunits: Escape generated URLs and WML-defined ou...
GitHub
noreply at github.com
Wed Aug 9 07:04:02 UTC 2017
Branch: refs/heads/staging/wesmere-wmlunits
Home: https://github.com/wesnoth/wesnoth
Commit: 4d5a4fc4c65261ce63a45d0b4a2684dc59675708
https://github.com/wesnoth/wesnoth/commit/4d5a4fc4c65261ce63a45d0b4a2684dc59675708
Author: Ignacio R. Morelle <shadowm at wesnoth.org>
Date: 2017-08-09 (Wed, 09 Aug 2017)
Changed paths:
M data/tools/unit_tree/html_output.py
M data/tools/unit_tree/overview.py
Log Message:
-----------
wmlunits: Escape generated URLs and WML-defined output
Some refactoring and a lot of code changes are involved in this.
Basically, wmlunits has always fully trusted its WML input. This has
several implications:
* URLs such as the ones for unit detail views tend to contain
unescaped characters which are forbidden in URLs, such as spaces.
While browsers generally tolerate this well, the result is still
invalid HTML. The same applies to URLs used for inline CSS (e.g.
background-image).
* Most information read from WML such as unit names, descriptions,
campaign names, era names, and so on, was blindly trusted and could
allow an attacker to inject malicious HTML into units.wesnoth.org by
uploading an add-on that would pass the units.wesnoth.org build
process.
The resulting code might not be extent of regressions, but hopefully
we'll identify them quickly. This commit contains some additional noise
in the form of style fixes around offending lines as well. Backporting
to 1.12 is, as far as I understand, unnecessary since units.wesnoth.org
uses the master branch version of wmlunits, but it might be worth
evaluating whether to issue a warning for the 1 person in the world who
might be running the 1.12 version of the units.wesnoth.org toolchain on
their own facilities (okay, let's face it, nobody would ever do that).
More information about the Commits
mailing list