[Commits] [wesnoth/wesnoth] c5b2b8: wam: Fix HTML injection attack on the add-ons.wesn...

GitHub noreply at github.com
Mon Jul 24 07:06:27 UTC 2017


  Branch: refs/heads/1.10
  Home:   https://github.com/wesnoth/wesnoth
  Commit: c5b2b8a28b1ca2629653acaf936ba4e2ece7aaab
      https://github.com/wesnoth/wesnoth/commit/c5b2b8a28b1ca2629653acaf936ba4e2ece7aaab
  Author: Ignacio R. Morelle <shadowm at wesnoth.org>
  Date:   2017-07-24 (Mon, 24 Jul 2017)

  Changed paths:
    M changelog
    M data/tools/addon_manager/html.py

  Log Message:
  -----------
  wam: Fix HTML injection attack on the add-ons.wesnoth.org web interface

This escapes all strings provided by add-ons server data to guarantee
they can't be used to get extraneous and potentially harmful HTML into
the generated web index.

However, and because I don't have time to look into the dense regex
contained in the relevant code right now, it also removes the hidden
feature of linkifying any URLs found in add-on descriptions. It's a
small price to pay for our safety, really.





More information about the Commits mailing list