[Commits] [wesnoth/wesnoth] 56990b: wam: Fix HTML injection attack on the add-ons.wesn...
GitHub
noreply at github.com
Mon Jul 24 07:06:34 UTC 2017
Branch: refs/heads/master
Home: https://github.com/wesnoth/wesnoth
Commit: 56990b17d9de256750325415d186ea0e421c2c72
https://github.com/wesnoth/wesnoth/commit/56990b17d9de256750325415d186ea0e421c2c72
Author: Ignacio R. Morelle <shadowm at wesnoth.org>
Date: 2017-07-24 (Mon, 24 Jul 2017)
Changed paths:
M changelog
M data/tools/addon_manager/html.py
Log Message:
-----------
wam: Fix HTML injection attack on the add-ons.wesnoth.org web interface
This escapes all strings provided by add-ons server data to guarantee
they can't be used to get extraneous and potentially harmful HTML into
the generated web index.
However, and because I don't have time to look into the dense regex
contained in the relevant code right now, it also removes the hidden
feature of linkifying any URLs found in add-on descriptions. It's a
small price to pay for our safety, really.
More information about the Commits
mailing list