Remove bluemonday #1
Conversation
| github.com/nullrocks/identicon v0.0.0-20180626043057-7875f45b0022 | ||
| github.com/pkg/errors v0.9.1 |
There was a problem hiding this comment.
this appeared when running go mod tidy - seems some of the oauth changes brought it in
| ID: userID, | ||
| Name: userID, | ||
| Picture: fmt.Sprintf(c.URL+"/avatar?user=%s", userID), |
There was a problem hiding this comment.
vulnerability fixed: backslashes and double quotes in userID were not being escaped here
| Site: r.URL.Query().Get("site"), | ||
| User: safeHTML(user), | ||
| Address: safeHTML(address), | ||
| Token: template.HTMLEscapeString(tkn), | ||
| Site: template.HTMLEscapeString(site), |
There was a problem hiding this comment.
vulnerability fixed: site comes from a URL parameter and was not being HTML escaped at all. Token is less of an issue, but I added HTML escaping just-in-case. The user and address also had some "prettifying" and truncation logic (presumably for plain-text viewing), which I have preserved in safeHTML, though I don't really see the point.
| Audience: e.sanitize(r.URL.Query().Get("site")), | ||
| Audience: site, |
There was a problem hiding this comment.
this was incorrectly being HTML encoded, but never appears in any HTML document
This was previously used:
siteparameter).Both have been fixed properly here. Fortunately we're not using the email capability at all. Having seen this code makes me super uncomfortable about trusting these authors with anything authentication-related though…