-
-
Notifications
You must be signed in to change notification settings - Fork 33
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix YouTube embeds #383
Comments
It would be nice if we could somehow run Bleach only on what the user entered, and not on what SpaceDock/KerbalStuff/kerbdown.py Lines 13 to 22 in 453f8d5
|
You mean rearranging the I want to avoid that, as this could allow using MarkDown-specifics that Bleach doesn't detect or bugs in our rendering library in order to bypass sanitization and potentially insert unwanted HTML again. |
That's the right general idea, but I was thinking more along the lines of replacing the |
I assume imgur embedding is broken as well? It's in the extension code but easy to miss on the markdown page: "and Imgur albums" |
We are not the first to encounter this! Python-Markdown/markdown#225 (comment)
|
This may already exist: https://pypi.org/project/mdx_bleach/ |
Ah I see. That doesn't sound bad. It would also fix the potential problem of forgetting to put the However we'd somehow need to tell the Markdown library to first run all rendering steps except our embed converter, then run Bleach, then run the embed conversion. I'll have to check the docs whether this is possible. |
This comment has been minimized.
This comment has been minimized.
https://spacedock.info/mod/2202/test has a bunch of stuff that should be escaped, https://spacedock.info/mod/141/scatterer has a YouTube embed. I think I also have a mod in my local dev env that tries a bunch of other tags, like images via markdown and raw HTML, I can give you that in a minute. |
Okay, pasted into the description of https://alpha.spacedock.info/mod/5/Awesome%20Mod |
mdx_bleach throws an Side note, it works by adding to |
Thanks, that will be useful. I added some embeds at the end for testing this issue. |
It seems that bleach's attribute filter can accept a custom function, but |
If we create our completely own filter, which we add additionally before the default filter, we could basically completely define what it does to each HTML "token". Another idea: basically keep the embed tags as is (in the |
Description (What went wrong?):
In #336 we started using Bleach to fix that huge XSS vulnerability on SpaceDock. Bleach escapes all HTML tags and attributes that it considers unsafe (or better, that another library
bleach-allowlist
considers unsafe).This also broke YouTube embeds, which are explicitly advertised on the MarkDown info page.
Reproduction Steps (What did you do?):
Go to https://spacedock.info/mod/141/scatterer, see the escaped
iframe
,rendered from
[[https://www.youtube.com/watch?v=XVvglDyM-Ok]]
Expected Behavior (What do you think should have happened instead?):
YouTube embeds should work as advertised.
Environment (OS/Browser/Plugins/etc):
All, Firefox on Linux & Windows here
Extra Information (Screenshots/Error Messages/Javascript Console Output):
Planning to work on this myself, opening the issue so I don't forget about it.
Initial idea: Allow iframes if the src is
www.youtube-nocookie.com
. Not sure if bleach is that configurable.The text was updated successfully, but these errors were encountered: