Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Sanitize invalid JSON script #893

Merged
merged 14 commits into from
Jan 24, 2018
Merged

Sanitize invalid JSON script #893

merged 14 commits into from
Jan 24, 2018

Commits on Jan 23, 2018

  1. Address an issue where <script> tags weren't stripped. 

    As Weston mentioned, adding this to the post content:
Hello <script>document.write('world');</script>
Produced:
This looks to be related to how process_node() gets the $attr_spec_list.
In some cases, all will have an equal 'score,'
As indicated in $spec_ids_sorted.
And sometimes, all of them will be missing a mandatory attribute.
In that case, $attr_spec_list will be empty.
If it is, use the first spec list in:
$rule_spec_list_to_validate.
This will need regression testing.
    Ryan Kienstra committed Jan 23, 2018
    Configuration menu
    Copy the full SHA
    e2f7d2e View commit details
    Browse the repository at this point in the history

  2. Address a Travis issue by storing the result of empty() in a variable. 

    There was an error on the Travis build:
Can't use function return value in write context.
So store the result of reset() in $first_spec_list.
    Ryan Kienstra committed Jan 23, 2018
    Configuration menu
    Copy the full SHA
    c5f5168 View commit details
    Browse the repository at this point in the history

  3. Test that <script> is removed, as it is missing an attribute. 

    This has a mandatory attribute.
And per the previous commits,
It should fail validation.
    Ryan Kienstra committed Jan 23, 2018
    Configuration menu
    Copy the full SHA
    335d9ce View commit details
    Browse the repository at this point in the history

  4. Add failing test case for sanitizing script[async] element

    @westonruter
    westonruter committed Jan 23, 2018
    Configuration menu
    Copy the full SHA
    f6ef76e View commit details
    Browse the repository at this point in the history

  5. Skip pulling latest from amphtml repo if not on master branch

    @westonruter
    westonruter committed Jan 23, 2018
    Configuration menu
    Copy the full SHA
    86bdf13 View commit details
    Browse the repository at this point in the history

Commits on Jan 24, 2018

  1. Remove unused validator_gen_md import and patch to keep it around

    @westonruter
    westonruter committed Jan 24, 2018
    Configuration menu
    Copy the full SHA
    17f63ac View commit details
    Browse the repository at this point in the history

  2. Temporarily skip extension SCRIPT tags in HEAD

    @westonruter
    westonruter committed Jan 24, 2018
    Configuration menu
    Copy the full SHA
    d25e48f View commit details
    Browse the repository at this point in the history

  3. Merge pull request #892 from Automattic/fix/script-tags-output-cdata 

    Address an issue where <script> tags aren't stripped.
    @westonruter
    westonruter authored Jan 24, 2018
    Configuration menu
    Copy the full SHA
    0e494a7 View commit details
    Browse the repository at this point in the history

  4. Merge branch '0.6' of https://github.com/Automattic/amp-wp into fix/s… 

    …anitize-invalid-script-json
    @westonruter
    westonruter committed Jan 24, 2018
    Configuration menu
    Copy the full SHA
    ce01d7f View commit details
    Browse the repository at this point in the history

  5. Add missing video poster in create-embed-test-post

    @westonruter
    westonruter committed Jan 24, 2018
    Configuration menu
    Copy the full SHA
    f436e29 View commit details
    Browse the repository at this point in the history

  6. Remove application/json from additional_allowed_tags, now unnecessary

    @westonruter
    westonruter committed Jan 24, 2018
    Configuration menu
    Copy the full SHA
    3bd1b7b View commit details
    Browse the repository at this point in the history

  7. Add missing plugin assets from wporg svn

    @westonruter
    westonruter committed Jan 24, 2018
    1 Configuration menu
    Copy the full SHA
    bd6d401 View commit details
    Browse the repository at this point in the history

  8. Bump 0.6.0

    @westonruter
    westonruter committed Jan 24, 2018
    Configuration menu
    Copy the full SHA
    cceaffb View commit details
    Browse the repository at this point in the history

  9. Merge branch '0.6' of https://github.com/Automattic/amp-wp into fix/s… 

    …anitize-invalid-script-json
    @westonruter
    westonruter committed Jan 24, 2018
    Configuration menu
    Copy the full SHA
    fa666c7 View commit details
    Browse the repository at this point in the history