JS in feed content isn't sanitized at all. #111

AvverbioPronome · 2020-06-22T11:38:52Z

Expected behavior

I expect javascript in feed content NOT to be run

Actual behavior

Javascript in feed content runs

Steps to reproduce

put javascript in a feed (ie: <script>document.location.replace('https://example.com');</script>)
add feed to moonmoon
open main page on moonmoon

Moonmoon version

9.0.0-rc.3

The text was updated successfully, but these errors were encountered:

rdalverny · 2022-01-06T21:15:48Z

That's because of:

moonmoon/app/classes/PlanetFeed.php

Line 26 in ee9c408

$this->set_stupidly_fast(true);

Switching it to false will filter out the JavaScript (among other things). See https://github.com/simplepie/simplepie/blob/1aec297145a150f627e6ed82b8b084e0c933def8/library/SimplePie.php#L1178-L1191 for the changes it implies.

Maybe we should make both the full trigger configurable (but not recommended), or make a custom selection of the features to turn on/off? At least to force $this->strip_htmltags(true).

It's almost the same config as `set_stupidly_fast(true)` only we don't want to touch at `add_attributes` (because it's valuable safety) and we do want to strip specific tags (among which <script>, see moonmoon#111).

mauricesvay added bug security labels Dec 7, 2020

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

JS in feed content isn't sanitized at all. #111

JS in feed content isn't sanitized at all. #111

AvverbioPronome commented Jun 22, 2020

rdalverny commented Jan 6, 2022

JS in feed content isn't sanitized at all. #111

JS in feed content isn't sanitized at all. #111

Comments

AvverbioPronome commented Jun 22, 2020

Expected behavior

Actual behavior

Steps to reproduce

Moonmoon version

rdalverny commented Jan 6, 2022