~vpzom/lotide

1

[Bug hitide]: Rendering HTML from remote?

Matthias Beyer <mail@beyermatthias.de>
Details
Message ID
<11664220.O9o76ZdvQC@hoshi>
DKIM signature
missing
Download raw message
4 years ago 
Hi,

so I found that when requesting a user/account from a different host (e.g. 
mastodon.technology), the `user.description` contains HTML that is not 
rendered in the hitide UI.

The problem, is of course, including ("random") HTML from remote... Not sure 
how dangerous this actually is...

A possible fix would be to `render::raw!()` this part of the HTML.
The responsible line is src/routes/mod.rs #1430 as of 
c754ef892c49134efc5ea65a75dc8284bab5ff85 (master right now).

What do you think?

-- 
Matthias
Colin Reeder <colin@vpzom.click>
Details
Message ID
<e156957e-4190-5f4c-aa12-b271b53c58f6@vpzom.click>
In-Reply-To
<11664220.O9o76ZdvQC@hoshi> (view parent)
DKIM signature
missing
Download raw message
4 years ago 
We certainly can't just embed untrusted HTML, but this is the same
situation as post content, which lotide sanitizes with ammonia before
returning in the API. Probably should do the same with user descriptions
and then it would be okay to render them
Reply to thread Export thread (mbox)