diff options
| author |  default | 2023-06-16 09:25:32 +0200 |
|---|---|---|
| committer | default | 2023-06-16 09:25:32 +0200 |
| commit | 5be22394675bff99cae673251696f8d0ce8ce0de (patch) | |
| tree | 62231f459d9ff06393b3f29712bd55bb7f42f788 /html.c | |
| parent | Version 2.35 RELEASED. (diff) | |
| download | snac2-5be22394675bff99cae673251696f8d0ce8ce0de.tar.gz snac2-5be22394675bff99cae673251696f8d0ce8ce0de.tar.xz snac2-5be22394675bff99cae673251696f8d0ce8ce0de.zip | |
Quick fix to "Script self-injection in edit box".
In the 'Edit...' box, the sourceContent (which was written by a user)
has its < replaced with < . This issue does not propagate to the
public timeline nor to the recipients of the post.
Reference: https://codeberg.org/grunfink/snac2/issues/53
Diffstat (limited to 'html.c')
| -rw-r--r-- | html.c | 6 |
1 files changed, 4 insertions, 2 deletions
| @@ -668,9 +668,11 @@ xs_str *html_entry_controls(snac *snac, xs_str *os, const xs_dict *msg, const ch | |||
| 668 | 668 | ||
| 669 | s = xs_str_cat(s, "</form>\n"); | 669 | s = xs_str_cat(s, "</form>\n"); |
| 670 | 670 | ||
| 671 | char *prev_src = xs_dict_get(msg, "sourceContent"); | 671 | const char *prev_src1 = xs_dict_get(msg, "sourceContent"); |
| 672 | |||
| 673 | if (!xs_is_null(prev_src1) && strcmp(actor, snac->actor) == 0) { | ||
| 674 | xs *prev_src = xs_replace(prev_src1, "<", "<"); | ||
| 672 | 675 | ||
| 673 | if (!xs_is_null(prev_src) && strcmp(actor, snac->actor) == 0) { | ||
| 674 | /* post can be edited */ | 676 | /* post can be edited */ |
| 675 | xs *s1 = xs_fmt( | 677 | xs *s1 = xs_fmt( |
| 676 | "<p><details><summary>%s</summary>\n" | 678 | "<p><details><summary>%s</summary>\n" |