Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Removes useless escapes from ppNix in options page. #229

Merged
merged 1 commit into from Jul 23, 2018
Merged

Removes useless escapes from ppNix in options page. #229

merged 1 commit into from Jul 23, 2018

Conversation

samueldr
Copy link
Member

@samueldr samueldr commented Jul 1, 2018

This is safe since all calls to ppNix are made using .text().

  • nixos-homepage/nixos/options.tt

    Lines 324 to 328 in f74049d

    if ('default' in opt)
    $('.default', details).empty().addClass('pre').text(ppNix('', opt.default));
    if ('example' in opt)
    $('.example', details).empty().addClass('pre').text(ppNix('', opt.example));

And anyway the previous escapes were done only one time, making it
trivial to bypass

> "<<<<<".replace("<", "&gt;")
→ "&gt;<<<<"

This has further been manually verified (with an hand-modified options.json) to
not cause opportunities for HTML injection.

image

image

@samueldr
Copy link
Member Author

samueldr commented Jul 1, 2018

As reported on IRC by @infinisil

edolstra
edolstra reviewed Jul 2, 2018
View reviewed changes
nixos/options.tt Outdated
@@ -243,7 +243,7 @@ function ppNix(indent, v) {
}

if (typeof v == "string") {
v = v.replace('<', '&lt;').replace('>', '&gt;');
v = v;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I guess v = v is redundant?

Copy link
Member Author

@samueldr samueldr Jul 2, 2018
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You're right, I removed the same pattern from both location (and tested both cases) but didn't stop and look at what was left at the second location. It's now fixed.

@samueldr
Removes useless escapes from ppNix in options page.
67c615f 
This is safe since all calls to `ppNix` are made using `.text()`.

 * https://github.com/NixOS/nixos-homepage/blob/f74049df65db247ce156022155a966c272ffb96c/nixos/options.tt#L324-L328

And *anyway* the previous escapes were done only one time, making it
trivial to bypass

```
> "<<<<<".replace("<", "&gt;")
→ "&gt;<<<<"
```

This has further been manually verified (with an hand-modified options.json) to
not cause opportunities for HTML injection.
@edolstra edolstra merged commit fa614b1 into NixOS:master Jul 23, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@edolstra edolstra edolstra left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@samueldr @edolstra