Skip to content
This repository was archived by the owner on Apr 23, 2020. It is now read-only.

Log tab XSS fix #369

Open
haywhisksoftware wants to merge 3 commits into
base: master
Choose a base branch
from
Open

Log tab XSS fix #369

haywhisksoftware wants to merge 3 commits into from

Conversation

@haywhisksoftware
Copy link

@haywhisksoftware haywhisksoftware commented Feb 5, 2018

Old: custom tabs' content was 100% considered to be HTML, thanks to jQuery's load method.

The "Log" tab was one such custom tab.

New: custom tabs' content is now either text or HTML, depending on the value of the UITabSpec associated with the custom tab.
It should be noted that, with this fix, HTML-intended custom tabs are still potentially vulnerable to cross-site scripting, and must appropriately escape or encode any data they want to output to an HTML context.

@haywhisksoftware
Treats custom tab (e.g., Logs) content as text, instead of HTML.
ba09d0d 
Fixes soabase#331.
@haywhisksoftware
Fixes a possible regression:
38fae1e 
A creator of a UITab may designate the tab to serve HTML content. This is reflected in the "html" variable of the corresponding UITabSpec.

The previous commit for issue soabase#331 would have rendered all custom tab content as plain text, which may have ruined someone's day if they were hoping that their custom tab's content would render as HTML. This change renders custom tab content as text or HTML depending on the "html" variable.

For the Log tab, the content is plain text.
@haywhisksoftware
Adds a blank line to trigger a Travis rebuild.
f9ffc67
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@haywhisksoftware