[Commits] [wesnoth/wesnoth] 0e707d: wam: Fix HTML injection attack on the add-ons.wesn...
GitHub
noreply at github.com
Mon Jul 24 07:06:39 UTC 2017
Branch: refs/heads/1.12
Home: https://github.com/wesnoth/wesnoth
Commit: 0e707d641eb559ccd8a6aa027a84b2fc52b8417e
https://github.com/wesnoth/wesnoth/commit/0e707d641eb559ccd8a6aa027a84b2fc52b8417e
Author: Ignacio R. Morelle <shadowm at wesnoth.org>
Date: 2017-07-24 (Mon, 24 Jul 2017)
Changed paths:
M changelog
M data/tools/addon_manager/html.py
Log Message:
-----------
wam: Fix HTML injection attack on the add-ons.wesnoth.org web interface
This escapes all strings provided by add-ons server data to guarantee
they can't be used to get extraneous and potentially harmful HTML into
the generated web index.
However, and because I don't have time to look into the dense regex
contained in the relevant code right now, it also removes the hidden
feature of linkifying any URLs found in add-on descriptions. It's a
small price to pay for our safety, really.
More information about the Commits
mailing list