sanitise some admin-controlled HTML #406
What does this PR do?
as the static analysis noted, we were passing some values unfiltered from the backend to the fronted. now, in most cases this is prefectly fine, but some of those values are admin-controlled, and not filtered by the backend.
this PR passes those values (instance description and rules) through the sanitizeHtml
function, which will remove things like <script>
that could be used by a nasty admin to do nasty things. (NOTE: I could not get those scripts to actually execute, but just injecting them felt dangerous enough).
Contribution Guidelines By submitting this merge request, you agree to follow our Contribution Guidelines
-
I agree to follow this project's Contribution Guidelines -
I have made sure to test this pull request
Merge request reports
Activity
I think the reason you couldn't get the scripts to execute is because of the forced Content-Security-Policy that is applied specifically for dev builds. Personally, I feel like the CSP shouldn't be set at all, especially for dev builds, given that no CSP is enforced for production, which could result in bugs that render instances with a lackluster CSP vulnerable to XSS attacks slipping through the cracks. Might be worth discussing in another issue.
That aside, LGTM! Ultimately, if an admin wants to be running additional code on top of Sharkey (or Misskey, for that matter), they should probably make a soft fork of their own.
mentioned in commit 0487d5ea