indiewebify-me icon indicating copy to clipboard operation
indiewebify-me copied to clipboard

Published 20 hours ago verified publisher icon indieweb

The h-entry content value should be sanitized/escaped before outputting it in HTML

Open kizu opened this issue 1 year ago • 0 comments

Example: https://indiewebify.me/validate-h-entry/?url=https%3A%2F%2Fpotential-xss--kizu-blog.netlify.app%2Fweekly-bookmarks-002%2F — results in an XSS, as the source had an escaped HTML inside <code> elements, but then the value gets the unescaped content (which seems to be expected).

I noticed this when testing the parsing of microformats for my blog as a part of IndieWebCamp — https://indiewebify.me/validate-h-entry/?url=https%3A%2F%2Fblog.kizu.dev%2Fweekly-bookmarks-002%2F — and noticing the broken output:

A screenshot of a broken output of the indiewebify h-entry validator, showing how the unescaped code element breaks the display

kizu avatar Oct 29 '23 13:10 kizu