New HTML cleanup in post contents is too extreme #1169
Comments
jankusanagi
changed the title
|
Whoa whoa whoa. It's stripping the content of messages coming from other servers? This is totally wrong. Post content should be left unmodified. Sanitization is a client (in this case Web UI) matter |
|
@oshepherd AFAIK that's the intended behavior. The reason it's done is for anti-XSS - the intention isn't to screw around with anyone's content. /cc @evanp |
|
@jankusanagi related issue: we can't allow arbitrary CSS. http://stackoverflow.com/questions/3607894/cross-site-scripting-in-css-stylesheets |
|
I merged this because now |
|
Yes. Sanitising the HTML that is displayed is fine and correct. Modifying the data sent over the wire is wrong. The JSON and embedded Sanitising content before display is a client problem, not a server @oshepherd https://github.com/oshepherd AFAIK that's the intended /cc @evanp https://github.com/evanp — Reply to this email directly, view it on GitHub |
|
Relevant spec sections: http://activitystrea.ms/specs/json/1.0/#republisher Honestly, I'm not quite sure if we're violating spec or not. In any case, I sent an email to Evan. It's his call to make, not mine. |
|
It seems pretty clear to me from: When a Re-publisher transmits an object, the Re-publisher MUST maintain the That modifying an object is prohibited. Regardless, as said, the web UI accesses data from remote servers hence Relevant spec sections: http://activitystrea.ms/specs/json/1.0/#republisher Honestly, I'm not quite sure if we're violating spec or not. In any case, I sent an email to Evan. It's his call to make, not mine. — |
|
This was discussed in the last meeting and we're going to continue to sanitize incoming objects, even though it's a violation of spec. @oshepherd I'll look into the web UI too, and make sure it handles this properly. |
|
FYI the plan for this is at cure53/DOMPurify#176 CSS will be retained and there will be very little to no impact on "good" objects. |
|
Fixed in master. |
I noticed that certain posts containing
imgtags don't display the expected image, when seen from an up-to-date server, running the git version.Then I checked, and I saw that the "content" field in the JSON itself was being "sanitized". It's not a matter of webUI display, the received JSON itself is different, for any client.
The culprit seems to be this commit: 49dcced
The relevant line has this comment:
// using defaults// { allowedTags: ['b', 'i', 'em', 'strong', 'a'], allowedAttributes: { a: ['href']}}So this could probably be easily configured to allow
styleandimgtags without compromising security.As it is now, users of up-to-date git servers are not seeing posts with
imgtags in them, which is quite common to have in the Pump network.Also, less serious but still annoying, the fact that the
styletags are removed makes most of the styling produced by the Dianara client invalid. Dianara uses Qt's richtext engine, which means that most of the visual stuff depends onstyletags. Evenbis turned into astyle someParams.P.S.- BTW, I've now checked that this alterations happen also with outgoing stuff, so posting with an
imgtag is not possible either. Those will be silently dropped from people's posts.P.S.2.- Even if the post doesn't use those 'forbidden' tags, the 'sanitation' seems to add extra
ptags between lines which were separated bybr, or something like that. However it's done, it seems to result in posts with more spaces between lines. It's not very nice.The text was updated successfully, but these errors were encountered: