No Branch/Tag Specified
paginate-search-init
main
s3
fix-delete-user
timeline-cli
blog-title
signature
remove-dup-images
ldap-non-anon
drone-ci
DearRude/force-lang
igalic/go/async-all-mut
go/async
floreal/translations-update
missing-docs
RAOF/fix-arm64-build
epsilon-phase/authorized-fetch
upgrade
improve-the-editor-once-again
igalic/feat/custom-fairing-domains
feature/ldap
test/dotenv_error
fix-mobile-margin
0.7.2
0.7.0
0.2.0-alpha-1
0.3.0-alpha-2
0.4.0-alpha-4
0.5.0
0.6.0
0.7.1
Labels
Clear labels
Related to the REST API
Code running on the server
Stuff related to Federation
Related to the front-end
Translations, and related code
More about project management or code than the project itself
The building, or installation process of Plume
Something isn't working
We need to talk
New feature or request
This is a new feature
Compatibility with different browsers, readers and OS
Related to an external package that Plume uses
UI/UX related issues and PRs
Good for newcomers
Extra attention is needed
Issues affecting only mobile UX
How elements're rendered out for the end user
Something else needs to be fixed first
This issue or pull request already exists
This PR is not complete yet
Issues concern a limited number of instances
This doesn't seem right
Need to be discussed by the community (on Loomio)
This PR is ready to be reviewed
Proposed ideas worth considering
This is issue has been created after a vote on Loomio
This will not be worked on
Apply labels
A: API
Related to the REST API
A: Backend
Code running on the server
A: Federation
Stuff related to Federation
A: Front-End
Related to the front-end
A: I18N
Translations, and related code
A: Meta
More about project management or code than the project itself
A: Security
Build
The building, or installation process of Plume
C: Bug
Something isn't working
C: Discussion
We need to talk
C: Enhancement
New feature or request
C: Feature
This is a new feature
Compatibility
Compatibility with different browsers, readers and OS
Dependency
Related to an external package that Plume uses
Design
UI/UX related issues and PRs
Documentation
Good first issue
Good for newcomers
Help welcome
Extra attention is needed
Mobile
Issues affecting only mobile UX
Rendering
How elements're rendered out for the end user
S: Blocked
Something else needs to be fixed first
S: Duplicate
This issue or pull request already exists
S: Incomplete
This PR is not complete yet
S: Instance specific
Issues concern a limited number of instances
S: Invalid
This doesn't seem right
S: Needs Voting/Discussion
Need to be discussed by the community (on Loomio)
S: Ready for review
This PR is ready to be reviewed
Suggestion
Proposed ideas worth considering
S: Voted on Loomio
This is issue has been created after a vote on Loomio
S: Wontfix
This will not be worked on
No Label
A: API
A: Backend
A: Federation
A: Front-End
A: I18N
A: Meta
A: Security
Build
C: Bug
C: Discussion
C: Enhancement
C: Feature
Compatibility
Dependency
Design
Documentation
Good first issue
Help welcome
Mobile
Rendering
S: Blocked
S: Duplicate
S: Incomplete
S: Instance specific
S: Invalid
S: Needs Voting/Discussion
S: Ready for review
Suggestion
S: Voted on Loomio
S: Wontfix
Milestone
Set milestone
Clear milestone
No items
No Milestone
Assignees
Assign users
Clear assignees
No Assignees
2 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.
No due date set.
Dependencies
No dependencies set.
Reference: Plume/Plume#44
Reference in New Issue
There is no content yet.
Delete Branch '%!s(<nil>)'
Deleting a branch is permanent. It CANNOT be undone. Continue?
No
Yes
from what I see, I think there is currently no mitigation against CSRF (ability to post from another website with a specialy crafted link, without secret cookie knoledge), nor against XSS (run js from untrusted input, maybe even from other instances sending comments)
XSS are mostly here because templates in
.tera
are not auto-escaped, we should rename each template file into.html.tera
so they areIs there any rules on where html should be allowed, but then sanitized (like posts i guess), and where it is not and can simply be escaped? I don't think comments requires html but from the code, currently they seems to be allowed to.
There is a crate to help handling CSRF: https://crates.io/crates/csrf
New xss were added when a dashboard was added (only work agaist themself), and during template deduplication (work again anybody and hit any template which include
/templates/users/header.tera
). We should take care on not forgeting to add.html
before.tera
to notify tera we need it to auto-escape htmlTera don't seems to auto escape arguments of functions, this allow an xss on user's name in
macro.html.tera
,users/followers.html.tera
,templates/posts/details.html.tera
, via instance name intemplates/instance/index.html.tera
(which is a bit of a none issue as admin can modify template if they want to), and maybe in other locations, even if the proper extension is used.I've fixed the two issues you mentioned, I think we are now protected. You can close this issue if you think everything is OK. 🙂
I can't spot any xss right now, however there is still a csrf issue on like reshare and follow as they are get requests. I think I'll close this and open another issue so peoples who know how to make a form beautifull can see it.
Oh yes, I forgot about them.