Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Escaping missing in block comments #3230

Closed
RoboErikG opened this issue Oct 14, 2019 · 2 comments
Closed

Escaping missing in block comments #3230

RoboErikG opened this issue Oct 14, 2019 · 2 comments
Labels
component: generators issue: bug Describes why the code or behaviour is wrong
Milestone
2019_q3_release

Comments

@RoboErikG
Copy link
Contributor

Describe the bug

Comments are not escaped correctly, meaning code can be inserted into a comment.

Via @joshlory
Sample repro: https://blockly-demo.appspot.com/static/demos/code/index.html#v9yjfg

xssCommentBug

To Reproduce

Steps to reproduce the behavior:

  1. Go to '...'
  2. Click on '....'
  3. Scroll down to '....'
  4. See error

Expected behavior

Screenshots

Desktop (please complete the following information):

  • OS: [e.g. iOS]
  • Browser [e.g. chrome, safari]
  • Version [e.g. 22]

Smartphone (please complete the following information):

  • Device: [e.g. iPhone6]
  • OS: [e.g. iOS8.1]
  • Browser [e.g. stock browser, safari]
  • Version [e.g. 22]

Stack Traces

Replace with error stack trace.

Additional context
@RoboErikG RoboErikG added issue: bug Describes why the code or behaviour is wrong component: generators labels Oct 14, 2019
@RoboErikG RoboErikG added this to the 2019_q3_release milestone Oct 14, 2019
@RoboErikG
Copy link
Contributor Author

Only affects JS and Python procedures, which are the only places multi-line comments are used.

RoboErikG added a commit to RoboErikG/blockly that referenced this issue Oct 14, 2019
@RoboErikG
Remove multi-line comments to avoid escaping
2c69e42 
Fixes google#3230 by removing multi-line comments for procedures.
@RoboErikG RoboErikG mentioned this issue Oct 14, 2019
Merged
3 tasks
RoboErikG added a commit to RoboErikG/blockly that referenced this issue Oct 14, 2019
@RoboErikG
Remove multi-line comments to avoid escaping
f29e2e3 
Fixes google#3230 by removing multi-line comments for procedures.
RoboErikG added a commit that referenced this issue Oct 14, 2019
@RoboErikG
Remove multi-line comments to avoid escaping (#3231)
e62c2a3 
Fixes #3230 by removing multi-line comments for procedures.
RoboErikG added a commit to RoboErikG/blockly that referenced this issue Oct 14, 2019
@RoboErikG
Remove multi-line comments to avoid escaping (google#3231)
f353152 
Fixes google#3230 by removing multi-line comments for procedures.
@RoboErikG RoboErikG mentioned this issue Oct 14, 2019
Merged
3 tasks
RoboErikG added a commit that referenced this issue Oct 14, 2019
@RoboErikG
Remove multi-line comments to avoid escaping (#3231) (#3232)
52a6992 
Fixes #3230 by removing multi-line comments for procedures.
@RoboErikG
Copy link
Contributor Author

Fixed in this week's release.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
component: generators issue: bug Describes why the code or behaviour is wrong
Projects
None yet
Milestone
2019_q3_release
Development

No branches or pull requests
1 participant
@RoboErikG