Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

FIX: display tables in posts history diff #6032

Merged
merged 4 commits into from
Jul 12, 2018
Merged

FIX: display tables in posts history diff #6032

merged 4 commits into from
Jul 12, 2018

Conversation

OsamaSayegh
Copy link
Member

I'm changing Régis code that he added for this security fix, so I'd like him to review this when he comes back :)

@OsamaSayegh OsamaSayegh requested a review from ZogStriP June 25, 2018 07:54
@discoursebot
Copy link

You've signed the CLA, OsamaSayegh. Thank you! This pull request is ready for review.

@discourse discourse deleted a comment Jun 26, 2018
@discourse discourse deleted a comment Jun 26, 2018
@SamSaffron
Copy link
Member

This is fine, but we need 1 test for it 👍

@OsamaSayegh
Copy link
Member Author

Added a test ✔️

@tgxworld
Copy link
Contributor

tgxworld commented Jul 4, 2018

@OsamaSayegh Could we also look at adding a test case for the XSS fix? It is unclear to me what the original security fix was trying to prevent at the moment. Also it seems like td is vulnerable to XSS as per https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#TABLE

@@ -252,8 +252,15 @@ export default Ember.Controller.extend(ModalFunctionality, {
if (viewMode === "side_by_side_markdown") {
return html;
} else {
const whiteLister = new WhiteLister({ features: { editHistory: true } });
const tableTags = ["table", "thead", "tbody", "th", "tr", "td"];
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yeah this is not sitting right ... we have our default markdown whitelister ... why can we not use it.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

helper.whiteList([
"table",
"tbody",
"thead",
"tr",
"th",
"td",
"div.md-table"
]);

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

so can't we just ask pretty text for the whitelister it uses ? and simply reuse that?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've tried using the same whitelister that pretty-text uses and it did fix this particular issue, however, it introduced a whole new bunch of issues. Mainly it messed up the layout and diff coloring (green and red) because all diff-ins and dif-del classes were stripped from diff HTML.

All this pain is caused by this bit here:

def self.tokenize(html)
me = new
parser = Nokogiri::HTML::SAX::Parser.new(me)
parser.parse("<html><body>#{html}</body></html>")
me.tokens
end

Specifically, Nokogiri Parser. It seems to be decoding HTML entities when parsing our HTML and returning HTML that's not absolutely safe and needs to be sanitized again.

Looks like there is a way to disable HTML decoding, but it doesn't work :/ (see this issue).

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

re: diff-ins and dif-del that is fine, I would then take the whitelister, clone it and add the 2 new classes you need. I follow about nokogiri making trouble.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just to be sure before I start working on this, I'll need to whitelist those two classes with every HTML tag we allow in posts (I don't think I'll have to list all the tags manually in an array, I think I can get them from existing code). Is that OK?

@coding-horror
Copy link
Contributor

This seems like quite a lot of pain for a rather trivial thing to "fix".. are we sure this is all worth it?

@OsamaSayegh
Copy link
Member Author

Ok, never mind my last response. I took a break from this and came back to get it accidentally to work. I simply added back Regis' code and used our pretty-text whitelister and now it works. ✨

Let me know if it looks OK, and I'll fix tests and add a couple more for the security issue and this bug.

@SamSaffron
Copy link
Member

let me know when this is ready to merge

@OsamaSayegh
Copy link
Member Author

@SamSaffron Ok, I think this is now in good shape.

@SamSaffron
Copy link
Member

yay, yes this is exactly what I wanted! great work

@SamSaffron SamSaffron merged commit f13a722 into discourse:master Jul 12, 2018
@OsamaSayegh OsamaSayegh deleted the fix-tables-history-diff branch July 12, 2018 07:10
@discoursebot
Copy link

This pull request has been mentioned on Discourse Meta. There might be relevant details there:

https://meta.discourse.org/t/markdown-table-missing-from-edit-history/90243/4

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Development

Successfully merging this pull request may close these issues.

5 participants