moonmoon icon indicating copy to clipboard operation
moonmoon copied to clipboard
verified publisher icon moonmoon

JS in feed content isn't sanitized at all.

Open AvverbioPronome opened this issue 5 years ago • 1 comments

Expected behavior

I expect javascript in feed content NOT to be run

Actual behavior

Javascript in feed content runs

Steps to reproduce

  • put javascript in a feed (ie: <script>document.location.replace('https://example.com');</script>)
  • add feed to moonmoon
  • open main page on moonmoon

Moonmoon version

9.0.0-rc.3

AvverbioPronome avatar Jun 22 '20 11:06 AvverbioPronome

That's because of: https://github.com/moonmoon/moonmoon/blob/ee9c408f719491ecb7947d83994bed1803a988e8/app/classes/PlanetFeed.php#L26

Switching it to false will filter out the JavaScript (among other things). See https://github.com/simplepie/simplepie/blob/1aec297145a150f627e6ed82b8b084e0c933def8/library/SimplePie.php#L1178-L1191 for the changes it implies.

Maybe we should make both the full trigger configurable (but not recommended), or make a custom selection of the features to turn on/off? At least to force $this->strip_htmltags(true).

rdalverny avatar Jan 06 '22 21:01 rdalverny