Authentication-Results: mail-b.sr.ht; dkim=pass header.d=vpzom.click header.i=@vpzom.click; dkim=pass header.d=messagingengine.com header.i=@messagingengine.com Received: from out2-smtp.messagingengine.com (out2-smtp.messagingengine.com [66.111.4.26]) by mail-b.sr.ht (Postfix) with ESMTPS id 694C1FF109 for <~vpzom/lotide@lists.sr.ht>; Tue, 29 Dec 2020 17:48:41 +0000 (UTC) Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailout.nyi.internal (Postfix) with ESMTP id 38F305C016A for <~vpzom/lotide@lists.sr.ht>; Tue, 29 Dec 2020 12:48:41 -0500 (EST) Received: from mailfrontend1 ([10.202.2.162]) by compute1.internal (MEProxy); Tue, 29 Dec 2020 12:48:41 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=vpzom.click; h= subject:to:references:from:message-id:date:mime-version :in-reply-to:content-type; s=fm2; bh=4/ypNd9nmVFCxZjBcSRekwkcpGk ixXnFhIhQe6VC2FU=; b=wKXLtV8sHeVWtha6c8yOXY2hGbFQqEWZkdDkz6tkzBX 1x01Mfyz+UZEeXIbY3nJVd4GtkNBGWj7XQdbahrsJJJ3oMomll65XfTSysRrzYUS MJkE4afxbrP4Lf91Or/swS25enof33aiO1Gqi8HnSmt+QBbg6eEmLVkw/lRpVbRx YP+XsMkY8QaaehtrR0xk8FJ09V2btXV5AjvStsGQmLzQz8QUs04y6rrKp02Vj3pP 4YyzMgGQYOmeWI48703WK27wqJfC/pXfVkV34tv0Z5xydBUI/kviecFJAiy/xKEn D5HFNfhlcMcojp63gmAxz9oZ5sV09LxxTXfxY9ThBlw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm1; bh=4/ypNd 9nmVFCxZjBcSRekwkcpGkixXnFhIhQe6VC2FU=; b=IO9mAhyvkX5dSxk9OlfQuN YTW1cORIJLg1DMSbDU53JFOOToFUeOfJr+ajp96AvJJ5kQ1d8p8lt6uo8CJ6txFf or7d7vJB4z8T2QxlD8VDrD9m/sUflYGD0K6qu031+DiudZkLj4bE2sw8AI6al223 QY6uPx0v2vOvJg8MWfaIUrvaZkqQycV4Rr0SX9n4y1jelDcngiBgbGcE/FuDYI00 x7r9nyLargo5UDKfYx399QJYyyobFFM3eMcel6XVbh6Upud889xOl+W9ahttvjYD UMsqLAA5VHf+Ip2SEs4Zu5h6tpTbkMgobwlNK8GcHyfAVwsnyR7ZWTU4hPqGT5oA == X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedujedrvddvuddguddtiecutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecunecujfgurhepuffvfhfhkffffgggjggtsehgtd erofdtfeehnecuhfhrohhmpeevohhlihhnucftvggvuggvrhcuoegtohhlihhnsehvphii ohhmrdgtlhhitghkqeenucggtffrrghtthgvrhhnpeeffeejkeejhfdugeeggedvgeeuvd evvdejheevjedvjeehueegleeliedtveejveenucfkphepudeitddrfedruddrkedunecu vehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomheptgholhhinh esvhhpiihomhdrtghlihgtkh X-ME-Proxy: Received: from [192.168.0.21] (160-3-1-81.cpe.sparklight.net [160.3.1.81]) by mail.messagingengine.com (Postfix) with ESMTPA id 6C3FD240057 for <~vpzom/lotide@lists.sr.ht>; Tue, 29 Dec 2020 12:48:40 -0500 (EST) Subject: Re: [Bug hitide]: Rendering HTML from remote? To: ~vpzom/lotide@lists.sr.ht References: <11664220.O9o76ZdvQC@hoshi> From: Colin Reeder Autocrypt: addr=colin@vpzom.click; keydata= mQENBFiGT0cBCADB5jVX+UtZ4ZPCHJxgFKnNAl2oD1AHPlpHNd/12lUVGG+dC0nFiyFUAu58 rDV0AfOYGq9WG7tm9dgzG6N7gD7EAbIrNPWBFovD3Q0IgPINaoKGRb59S4giDTP3pGknIc/8 omvVH2ZKAy7wJ9G04H/C26zur4j0/RBPG9ZeZYdJ216nHNxG3RFwtWhY5xZC54FEt3mG97O6 MmgjtsVgzBaQnqr8R9ePwdkW+cx6YBRBMZhcxHhMhkDZ1+QxFANAtSQ4/E/mEuz/ReAyRxGG L5pJ5JGcirMSeDGbbNZdi/OhbB53nPnfQ+XTCEOYE+bqAQTdQTOAspTePBeghVRbNpo1ABEB AAG0IENvbGluIFJlZWRlciA8Y29saW5AdnB6b20uY2xpY2s+iQFOBBMBCAA4FiEE9D2cUxKh BJqPLq7pX3iH59FTxdIFAlwez2sCGwMFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQX3iH 59FTxdLNcwgApfqT1kuJdeCpqy5liGOCy7AMmevEoBXfRhuHkDLtR0GhUMRvAJ1QAFBvGMbw rlLHYqZDo/QPU5piiYAtqsrJP1TvOLsIHKwLUtSwkPFN0P0ow3KF5oIwaiiVi7gru1wEZSsQ FxkTf8C6qFQee4tpn12BrJbqBbur2wYdbAMHBnQ/siF/cwB15uIDoJavmWdbYiHDVJN5/3HE SOnMnY6GU2ZoI0nHVHHuh97pxic8wa5LTnKc+Rf2YYuSUDRCjGfozhqhiTfcX5Mw+SsnLcG+ GZKp9E1LZM82egUJve9PTBjHkhDsdVCXb8/u4LaGJPq8+wqdYzlLbE3QbgSAhYioM7kBDQRY hk9HAQgAtg5ydByoMQyWXTBXagt55IjWCxt7eEQGJ/RNOrIcmEKztXRd4dvG/fGU2qc08P70 ZA/fEv12jaazCwj+i0s8lT8vHvLrg6n0CHnsusWgGWgnWWc0wZsfEvz86JuiTGnZLj5hX+6s Od13xkYfwKtEk74V4SDIraMDHipfVC2Xy1gVP+rNeu0ZfY8iXKvgv2HFsEFOsGs0/UBDyhgL RYJD0AHQ/tPwdb11Zw3ICNi2i0Yw3q8xVvvA2iYLtuQ99Bd2SEk709Szp4xXbbxFlmTlzNaw +YQiSB7ZVjVxaRQe8amTlEUZzf0qJk9N6u6gphCEXMaFoBRoEeztARj9nhefoQARAQABiQE2 BBgBCAAgFiEE9D2cUxKhBJqPLq7pX3iH59FTxdIFAliGT0cCGwwACgkQX3iH59FTxdL7swgA uiMpH+EROHbL9/N/Gf1pGbO5y90Bqcd4Xa/nRzv1a2VP/HGmahZOEepQPnwj8jkuEjl/7Cki ktVPQ9u71v9rwHdfn7Plg2F1H56lFutzehgFWYSibfHAL9a5ffnq6HnI2BbT8q/o+KX1ckMY J8OKKx3uVTlUYuj3/MtWl3y/8cBpo84RFybqDdJDyMiKUrVuFMJFsGd8idHPv46wYnTSBzJR jN+pwbEMphSKsQwWqxbvOhl2Wy6TgYCaQXXURmt9fb21kKEvjg+rcHTprAqQKrWbm5fD5So1 vJzn3cI7wDsQjBfDxdE6tlzphp3lP0QZDc9xHTYBBgvun6uNQplIsQ== Message-ID: Date: Tue, 29 Dec 2020 10:48:37 -0700 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.12.1 MIME-Version: 1.0 In-Reply-To: <11664220.O9o76ZdvQC@hoshi> Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="QpkF9z32iNHy3PeXoFfTYSsB8R9GdZLFo" This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --QpkF9z32iNHy3PeXoFfTYSsB8R9GdZLFo Content-Type: multipart/mixed; boundary="liqWNoFdJbOp7K5xjOlGCLrke6ts8kMz9" --liqWNoFdJbOp7K5xjOlGCLrke6ts8kMz9 Content-Type: text/plain; charset=windows-1252 Content-Language: en-US Content-Transfer-Encoding: quoted-printable We certainly can't just embed untrusted HTML, but this is the same situation as post content, which lotide sanitizes with ammonia before returning in the API. Probably should do the same with user descriptions and then it would be okay to render them --liqWNoFdJbOp7K5xjOlGCLrke6ts8kMz9-- --QpkF9z32iNHy3PeXoFfTYSsB8R9GdZLFo Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEE9D2cUxKhBJqPLq7pX3iH59FTxdIFAl/ra/UACgkQX3iH59FT xdJYnAf/SVnvUp7Uruk/nLxZWzUEZg+ydpmjNrvvBfFybctIbvH2KNi2bnRnL9Zb vOWGaFxcJyhtFfZgCVR7WAKB0E6Tupy4t+K0+xibRmdCwrm7Oqq8vl25eHYh3Yip BABqUYENz3Kam8DPmh9eItNe+hPZaJtpmCKZYVKMtOZipzFq4EiNNOTBYOycludj VFFEe3NRWEseX9S/PZZqnUHdscwGqqfrLcDCHjSY76efM2/9KkQbgLFXMOIYe7tO AhN08rWJe5VUS5y9QpklJWprVC+i/ZOEHmsKdnfHbcQp0n+4d989yr6i8Mj03vXo UlitkvN/533PkjnnuGsGGkA+e/X8IA== =4RRD -----END PGP SIGNATURE----- --QpkF9z32iNHy3PeXoFfTYSsB8R9GdZLFo--