Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Doc: prevent XSS via args #7056

Merged
merged 2 commits into from
Nov 12, 2018
Merged

Doc: prevent XSS via args #7056

merged 2 commits into from
Nov 12, 2018

Conversation

makenowjust
Copy link
Contributor

@makenowjust makenowjust commented Nov 9, 2018
edited
Loading

An external name of method arg is not HTML-escaped (and missing quotes even if needed!) We can do XSS by this easily. In addition, typeof restriction is not HTML-escaped, we can also do XSS by this.

For example crystal docs against following code:

module Foo
  def meth("<b>foo bar</b>" baz : typeof("<b>fizz</b>") = "<b>buzz</b>")
  end

  macro mac("<b>foo bar</b>" baz = "<b>fizz</b>")
  end
end

Before:

2018-11-10 1 25 02

After:

2018-11-10 1 27 51

Thank you.

@makenowjust
Use third-person singular
963c3c1 
It is my failure since crystal-lang#7029. Sorry...
@makenowjust
Doc: prevent XSS via args
fee70f1 
An external name of method arg is not HTML-escaped (and missing quotes even
if needed). We can do XSS by this easily. Otherwise, `typeof` restriction is
not HTML-escaped, we can also do XSS by this.
@bcardiff bcardiff added kind:bug A bug in the code. Does not apply to documentation, specs, etc. kind:docs labels Nov 9, 2018
sdogruyol
sdogruyol approved these changes Nov 9, 2018
View reviewed changes
Copy link
Member

@sdogruyol sdogruyol left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you @makenowjust 👍

@RX14 RX14 added this to the 0.27.1 milestone Nov 12, 2018
@RX14 RX14 merged commit c0a6716 into crystal-lang:master Nov 12, 2018
@makenowjust makenowjust deleted the fix/prevent-doc-args-xss branch November 12, 2018 23:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sdogruyol sdogruyol sdogruyol approved these changes

@bcardiff bcardiff bcardiff approved these changes

Assignees
No one assigned
Labels
kind:bug A bug in the code. Does not apply to documentation, specs, etc. security topic:tools:docs-generator
Projects
None yet
Milestone
0.27.1
Development

Successfully merging this pull request may close these issues.
4 participants
@makenowjust @bcardiff @sdogruyol @RX14