[Commits] [wesnoth/wesnoth] c5b2b8: wam: Fix HTML injection attack on the add-ons.wesn...
GitHub
noreply at github.com
Mon Jul 24 07:06:27 UTC 2017
Branch: refs/heads/1.10
Home: https://github.com/wesnoth/wesnoth
Commit: c5b2b8a28b1ca2629653acaf936ba4e2ece7aaab
https://github.com/wesnoth/wesnoth/commit/c5b2b8a28b1ca2629653acaf936ba4e2ece7aaab
Author: Ignacio R. Morelle <shadowm at wesnoth.org>
Date: 2017-07-24 (Mon, 24 Jul 2017)
Changed paths:
M changelog
M data/tools/addon_manager/html.py
Log Message:
-----------
wam: Fix HTML injection attack on the add-ons.wesnoth.org web interface
This escapes all strings provided by add-ons server data to guarantee
they can't be used to get extraneous and potentially harmful HTML into
the generated web index.
However, and because I don't have time to look into the dense regex
contained in the relevant code right now, it also removes the hidden
feature of linkifying any URLs found in add-on descriptions. It's a
small price to pay for our safety, really.
More information about the Commits
mailing list