[Commits] [wesnoth/wesnoth] 56990b: wam: Fix HTML injection attack on the add-ons.wesn...

GitHub noreply at github.com
Mon Jul 24 07:06:34 UTC 2017


  Branch: refs/heads/master
  Home:   https://github.com/wesnoth/wesnoth
  Commit: 56990b17d9de256750325415d186ea0e421c2c72
      https://github.com/wesnoth/wesnoth/commit/56990b17d9de256750325415d186ea0e421c2c72
  Author: Ignacio R. Morelle <shadowm at wesnoth.org>
  Date:   2017-07-24 (Mon, 24 Jul 2017)

  Changed paths:
    M changelog
    M data/tools/addon_manager/html.py

  Log Message:
  -----------
  wam: Fix HTML injection attack on the add-ons.wesnoth.org web interface

This escapes all strings provided by add-ons server data to guarantee
they can't be used to get extraneous and potentially harmful HTML into
the generated web index.

However, and because I don't have time to look into the dense regex
contained in the relevant code right now, it also removes the hidden
feature of linkifying any URLs found in add-on descriptions. It's a
small price to pay for our safety, really.





More information about the Commits mailing list