-
Notifications
You must be signed in to change notification settings - Fork 192
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add parameters parsing for cssfixme #847
Comments
it is possible to explain this issue? ❤️ |
@magsout we're moving http://hallvord.com/temp/moz/cssfixme.php to webcompat.com/tools/cssfixme (it's a tool to add standards/unprefixed CSS to -webkit-prefix only code). One of the features is that you can give it a URL via a get param, and it will automatically fetch that and put it in the tool for you -- that's what this bug is for. |
Basically, we want this URL to work: |
Handle ?url query string for css-fixme, #847
Let's not deploy this for now. There are some security/usability issues with the code. I found new ones. |
|
It's too late, we already deployed. I'm going to disable it on master now. @karlcow, please file new issues. |
Actually, no need for new issues @karlcow. This is the right place. |
OK, fix deployed. I'm not even sure this feature is worth the trouble, given its ability to take down our server if we don't do it correctly:
|
Thanks! @miketaylr |
I'm inclined to close this as WONTFIX, given that it's some nice sugar on top of the core functionality that is working. We have a lot of other features to worry about, that (in theory) don't have the same potential for dangerous security implications. I'm not even sure we should host https://github.com/webcompat/css-fixme/blob/master/cssfixme.php in our org's repo. It's just not safe code as-is. :( |
Agreed with @miketaylr I propose in the meantime, we close that feature.
|
Filed webcompat/css-fixme#16 which is related. |
OK, let's close for now. |
:( |
@hallvors we can re-open (and re-add the feature) in the future, as long as we get security right. |
/cssfixme.php?url=http%3A%2F%2Fhallvord.com%2Ftemp%2Fmoz%2FcompatTesterTesting%2Fstyle.css
should be able to inject the CSS stylesheets inside the textarea.
Be careful with security issues.
Depends on #12
The text was updated successfully, but these errors were encountered: