Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

update 5.3.1, #1589 #1943

Merged
merged 7 commits into from
Jul 24, 2024
Merged

update 5.3.1, #1589 #1943

merged 7 commits into from
Jul 24, 2024

Conversation

elarlang
Copy link
Collaborator

This Pull Request relates to issue #1589

@tghosth
Copy link
Collaborator

tghosth commented May 2, 2024

Commented: #1589 (comment)

tghosth added a commit that referenced this pull request Jul 24, 2024
@tghosth
Reverting change to 5.3.1 which is being handled by #1943
dc66fb9
tghosth added a commit that referenced this pull request Jul 24, 2024
@jmanico @tghosth
Add requirement on dynamic URL building to resolve #1961 (#1978)
7ca3414 
* Update 0x13-V5-Validation-Sanitization-Encoding.md

Addressing comment #1961

* Reverting change to 5.3.1 which is being handled by #1943

---------

Co-authored-by: Josh Grossman <tghosth@users.noreply.github.com>
jmanico
jmanico previously approved these changes Jul 24, 2024
View reviewed changes
@jmanico
Copy link
Member

jmanico commented Jul 24, 2024
edited
Loading

Per #1589 (comment) I think we need to leave the CSS encoding in. Here is a copy of that comment to make it easier.

I think we need both 5.2.8 and 5.3.1
5.2.8 | Verify that the application sanitizes, disables, or sandboxes user-supplied scriptable or expression template language content, such as Markdown, CSS or XSL stylesheets, BBCode, or similar.
-- | --

This addresses sanitizing user authored cunks of CSS. Just like untrusted HTML is need to be sanitized.

5.3.1 | [MODIFIED] Verify that output encoding is relevant for the interpreter and context required. For example, use encoders specifically for HTML values, HTML attributes, JavaScript, CSS, URL parameters, HTTP headers, SMTP, and others as the context requires, especially from untrusted inputs (e.g. names with Unicode or apostrophes, such as ねこ or O'Hara).
-- | --

This addresses adding user controlled data, like a color, into blocks of otherwise static css, which requires CSS encoding.

Different controls and to some degree different attacks, too.

I suggest:
| 5.3.1 | [MODIFIED] Verify that output encoding is relevant for the interpreter and context required, such as encoding the relevant characters for HTML elements, HTML attributes, CSS, JavaScript, URL parameters, HTTP headers, or SMTP.

@jmanico jmanico dismissed their stale review July 24, 2024 15:46

error on my part

@tghosth tghosth merged commit cc919fc into master Jul 24, 2024
6 checks passed
@tghosth tghosth deleted the elarlang-patch-1589 branch July 24, 2024 18:13
@tghosth
Copy link
Collaborator

tghosth commented Jul 24, 2024

I don't think this wording is perfect but it has taken too long to spend further on it for now.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tghosth tghosth tghosth approved these changes

@jmanico jmanico jmanico left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@elarlang @tghosth @jmanico