Conversation
Notices
-
r (r@freesoftwareextremist.com)'s status on Saturday, 23-Sep-2023 01:10:11 JST 
r
A patch for an XSS vulnerability in bloat, reported by @romin .
Please update your bloat.
https://git.freesoftwareextremist.com/bloat/commit/?id=cba88f94a24ad8b0c04d8fcbf2500d45156ce20f-
r (r@freesoftwareextremist.com)'s status on Saturday, 23-Sep-2023 01:10:10 JST
r
@romin CC @Moon @dcc @kirby @mint @p @w and † top dog :pedomustdie: like this. -
(mint@ryona.agency)'s status on Saturday, 23-Sep-2023 01:11:57 JST 
@r @dcc @w @p @kirby @Moon @romin >Sanitize user field name
I'm getting deja vu. Will merge a little later, thanks, for now my CSP should prevent any leakage.† top dog :pedomustdie: likes this. -
r (r@freesoftwareextremist.com)'s status on Saturday, 23-Sep-2023 01:18:43 JST
r
@mint I think it was the user display name before, and I switched to html/template after that. likes this. -
r (r@freesoftwareextremist.com)'s status on Saturday, 23-Sep-2023 01:26:31 JST
r
@mint I wasn't sure about the CSP headers, but I'm thinking about adding them now. likes this. -
(mint@ryona.agency)'s status on Saturday, 23-Sep-2023 01:29:34 JST
@r It might break user's custom CSS field, so I removed it entirely anyway in my fork, but I think that might be solved by making a special path that just returns stored CSS from cookie and adding said path to the policy. -
(mint@ryona.agency)'s status on Saturday, 23-Sep-2023 01:47:02 JST
@r Shouldn't you filter HTML in value field as well? -
ロミンちゃん (romin@shitposter.club)'s status on Saturday, 23-Sep-2023 01:50:56 JST 
ロミンちゃん
@mint @r pleroma sanitizes field values and the user bio. likes this. -
(mint@ryona.agency)'s status on Saturday, 23-Sep-2023 01:54:40 JST
@romin @r Figured much.
(using a basic table makes more sense from design perspective that just appending the values separated with dash to the bio)
Screenshot_20230922_195132.png -
r (r@freesoftwareextremist.com)'s status on Saturday, 23-Sep-2023 01:55:31 JST
r
@mint No, that field is sanitized by the server. It's a bit confusing, because only a specific fields are supposed to be sanitized by the server, but other fields may have HTML content anyway. Get the Swagger doc JSON from https://api.pleroma.social/ and look for the fields with "format": "html". likes this. -
pistolero :thispersondoesnotexist: (p@freespeechextremist.com)'s status on Saturday, 23-Sep-2023 02:15:56 JST 
pistolero :thispersondoesnotexist:
@r @Moon @dcc @kirby @mint @romin @w Thanks for the fix!
FSE's using old bloat, doesn't call EmojiFilter on those. Had it escape the fields and the values:
diff --git a/6e794f03206375339b95cbb603c9261908cab06c b/182a9fce5d43a674e5063068f62083137bbb0118
index 6e794f0..182a9fc 100644
--- a/6e794f03206375339b95cbb603c9261908cab06c
+++ b/182a9fce5d43a674e5063068f62083137bbb0118
@@ -127,7 +127,7 @@
{{EmojiFilter .User.Note .User.Emojis}}
</div>
{{if .User.Fields}}{{range .User.Fields}}
- <div>{{.Name}} - {{.Value}}</div>
+ <div>{{(html .Name)}} - {{(html .Value)}}</div>
{{end}}{{end}}
</div>
</div> likes this. -
laurel (laurel@freespeechextremist.com)'s status on Saturday, 23-Sep-2023 02:54:09 JST 
laurel
@r @mint
Doesn't html/template escape everything unless it's template.HTML type?
Do you reverse this behavior somewhere? likes this. -
laurel (laurel@freespeechextremist.com)'s status on Saturday, 23-Sep-2023 02:54:54 JST
laurel
@r @mint
Ohhhh, you feed it into raw(s string), that does exactly that. likes this. -
r (r@freesoftwareextremist.com)'s status on Saturday, 23-Sep-2023 02:55:09 JST
r
@laurel @mint Yes, when the content itself is in HTML, you'd want to show it as it is, without escaping. For example all your posts are presented as HTML by the server. There other cases like showing emoji as <img> tag instead of :emoji: where the client has to create HTML code from plain text. likes this.
-
All 076萌SNS content and data are available under the 