Cool_Tools/vichan
1
0
Fork 0
mirror of https://github.com/vichan-devel/vichan.git synced 2025-02-17 11:28:41 +01:00
Code Releases Wiki Activity

Fix information leak in thread.html (#377)

Browse Source 
Sensitive information can be leaked due to inadequate/absent escaping, if proxy_save enabled

Line 14 is truncating before removing tags, this can cause some tags to be cut and therefore not be removed by the `remove_` functions.
Line 22 is just leaking it all, not removing anything.
This commit is contained in:
papereth 2020-08-10 18:50:02 +02:00 committed by GitHub
parent cf6a733931
commit 2275735fdf
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
templates/thread.html
View File

@ -11,7 +11,7 @@
{% include 'header.html' %}
{% set meta_subject %}{% if config.thread_subject_in_title and thread.subject %}{{ thread.subject|e }}{% else %}{{ thread.body_nomarkup[:256]|remove_modifiers|e }}{% endif %}{% endset %}
{% set meta_subject %}{% if config.thread_subject_in_title and thread.subject %}{{ thread.subject|e }}{% else %}{{ thread.body_nomarkup|remove_modifiers|remove_markup|e[:256] }}{% endif %}{% endset %}
<meta name="description" content="{{ board.url }} - {{ board.title|e }} - {{ meta_subject }}" />
<meta name="twitter:card" value="summary">
@ -19,7 +19,7 @@
<meta property="og:type" content="article" />
<meta property="og:url" content="{{ config.domain }}/{{ board.uri }}/{{ config.dir.res }}{{ thread.id }}.html" />
{% if thread.files.0.thumb %}<meta property="og:image" content="{{ config.domain }}/{{ board.uri }}/{{ config.dir.thumb }}{{ thread.files.0.thumb }}" />{% endif %}
<meta property="og:description" content="{{ thread.body_nomarkup|e }}" />
<meta property="og:description" content="{{ thread.body_nomarkup|remove_modifiers|remove_markup|e }}" />
<title>{{ board.url }} - {{ meta_subject }}</title>
</head>