1
0
Fork 0

addImageTitle: Fix HTML injection

This rewrite rule would change this:

    <img title="<foo>">

to this:

    <figure><img><figcaption><foo></figcaption></figure>

The image title needs to be properly escaped.
This commit is contained in:
Peter De Wachter 2019-08-14 09:33:54 +02:00 committed by Frédéric Guillot
parent 3a39d110f0
commit ea2b6e3608
2 changed files with 11 additions and 1 deletions

View file

@ -6,6 +6,7 @@ package rewrite // import "miniflux.app/reader/rewrite"
import (
"fmt"
"html"
"regexp"
"strings"
@ -32,7 +33,7 @@ func addImageTitle(entryURL, entryContent string) string {
srcAttr, _ := img.Attr("src")
titleAttr, _ := img.Attr("title")
img.ReplaceWithHtml(`<figure><img src="` + srcAttr + `" alt="` + altAttr + `"/><figcaption><p>` + titleAttr + `</p></figcaption></figure>`)
img.ReplaceWithHtml(`<figure><img src="` + srcAttr + `" alt="` + altAttr + `"/><figcaption><p>` + html.EscapeString(titleAttr) + `</p></figcaption></figure>`)
})
output, _ := doc.Find("body").First().Html()

View file

@ -61,6 +61,15 @@ func TestRewriteWithXkcdLink(t *testing.T) {
}
}
func TestRewriteWithXkcdLinkHtmlInjection(t *testing.T) {
description := `<img src="https://imgs.xkcd.com/comics/thermostat.png" title="<foo>" alt="<foo>" />`
output := Rewriter("https://xkcd.com/1912/", description, ``)
expected := `<figure><img src="https://imgs.xkcd.com/comics/thermostat.png" alt="&lt;foo&gt;"/><figcaption><p>&lt;foo&gt;</p></figcaption></figure>`
if expected != output {
t.Errorf(`Not expected output: got "%s" instead of "%s"`, output, expected)
}
}
func TestRewriteWithXkcdLinkAndImageNoTitle(t *testing.T) {
description := `<img src="https://imgs.xkcd.com/comics/thermostat.png" alt="Your problem is so terrible, I worry that, if I help you, I risk drawing the attention of whatever god of technology inflicted it on you." />`
output := Rewriter("https://xkcd.com/1912/", description, ``)