[tahoe-lafs-trac-stream] [tahoe-lafs] #1143: Double Encoding in HTML in File Names in WUI

[tahoe-lafs]

#1143: Double Encoding in HTML in File Names in WUI
-----------------------------------+---------------------------
     Reporter:  chrisp             |      Owner:  davidsarah
         Type:  defect             |     Status:  assigned
     Priority:  major              |  Milestone:  1.10.0
    Component:  code-frontend-web  |    Version:  1.7.1
   Resolution:                     |   Keywords:  easy wui html
Launchpad Bug:                     |
-----------------------------------+---------------------------

Comment (by mk.fg):

 Replying to [comment:6 zooko]:
 > Since Nevow's {{{escapeToXML}}} method leaves single/double quotes
 intact, could that be used to malicious craft input which would confuse
 the HTML parser by having embedded quote characters?

 I don't really see how and don't think I've heard of such things
 happening, maybe example of what you mean would be helpful?

 I can imagine it happening only if malicious person can insert markup
 somewhere else, i.e. something like this:

 {{{
 <p>filename with <span randomattr="</p>
 <p>filename_that_should_be_hidden</p>
 <p>">visible_filename_ending</p>
 }}}

 But then again, I think if any tags can be inserted, it'll be something
 like <script> and the game is over, no amount of quote escaping should
 make any difference.

 Interesting thing to note that the source for this very page contains
 unescaped quotes in user-submitted content.

-- 
Ticket URL: <https://tahoe-lafs.org/trac/tahoe-lafs/ticket/1143#comment:7>
tahoe-lafs <https://tahoe-lafs.org>
secure decentralized storage