Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Blacklist data: URLs from templates #1110

Merged
merged 1 commit into from
Dec 9, 2015
Merged

Blacklist data: URLs from templates #1110

merged 1 commit into from
Dec 9, 2015

Conversation

dvoytenko
Copy link
Contributor

Closes #1114.

@dvoytenko
Copy link
Contributor Author

I added normalizer to match cases described in #1114.

@erwinmombay
Copy link
Member

LGTM, pending tests

dvoytenko added a commit that referenced this pull request Dec 9, 2015
@dvoytenko
Merge pull request #1110 from dvoytenko/mustache-sec2
5566fb8 
Blacklist data: URLs from templates
@dvoytenko dvoytenko merged commit 5566fb8 into ampproject:master Dec 9, 2015
@dvoytenko dvoytenko deleted the mustache-sec2 branch December 9, 2015 20:55
molnarg
molnarg reviewed Dec 10, 2015
View reviewed changes
src/sanitizer.js
@@ -58,6 +58,9 @@ const WHITELISTED_FORMAT_TAGS = [
const BLACKLISTED_ATTR_VALUES = [
/*eslint no-script-url: 0*/ 'javascript:',
/*eslint no-script-url: 0*/ 'vbscript:',
/*eslint no-script-url: 0*/ 'data:',
/*eslint no-script-url: 0*/ '<script',
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is it necessary? Attribute values will be properly encoded, so there's no chance to actually insert the angle bracket into the final HTML.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, this is probably overkill. Will remove there last one.
On Dec 10, 2015 3:07 AM, "Gábor Molnár" notifications@github.com wrote:

In src/sanitizer.js
#1110 (comment):

@@ -58,6 +58,9 @@ const WHITELISTED_FORMAT_TAGS = [
const BLACKLISTED_ATTR_VALUES = [
/eslint no-script-url: 0/ 'javascript:',
/eslint no-script-url: 0/ 'vbscript:',

  • /eslint no-script-url: 0/ 'data:',
  • /eslint no-script-url: 0/ '<script',

Is it necessary? Attribute values will be properly encoded, so there's no
chance to actually insert the angle bracket into the final HTML.


Reply to this email directly or view it on GitHub
https://github.com/ampproject/amphtml/pull/1110/files#r47213528.

You received this message because you are subscribed to the Google Groups
"amphtml-eng-github" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to amphtml-eng-github+unsubscribe@google.com.
To post to this group, send email to amphtml-eng-github@google.com.
To view this discussion on the web visit
https://groups.google.com/a/google.com/d/msgid/amphtml-eng-github/ampproject/amphtml/pull/1110/r47213528%40github.com
https://groups.google.com/a/google.com/d/msgid/amphtml-eng-github/ampproject/amphtml/pull/1110/r47213528%40github.com?utm_medium=email&utm_source=footer
.

You received this message because you are subscribed to the Google Groups
"amphtml-eng" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to amphtml-eng+unsubscribe@google.com.
To post to this group, send email to amphtml-eng@google.com.
To view this discussion on the web visit
https://groups.google.com/a/google.com/d/msgid/amphtml-eng/ampproject/amphtml/pull/1110/r47213528%40github.com
https://groups.google.com/a/google.com/d/msgid/amphtml-eng/ampproject/amphtml/pull/1110/r47213528%40github.com?utm_medium=email&utm_source=footer
.

@elijahsoria elijahsoria mentioned this pull request May 28, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@erwinmombay erwinmombay

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@dvoytenko @erwinmombay @molnarg @amphtml-team