Skip to content
This repository has been archived by the owner on Apr 23, 2020. It is now read-only.

Log tab XSS fix #369

Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

Log tab XSS fix #369

wants to merge 3 commits into from

Conversation

haywhisksoftware
Copy link

Old: custom tabs' content was 100% considered to be HTML, thanks to jQuery's load method.

The "Log" tab was one such custom tab.

New: custom tabs' content is now either text or HTML, depending on the value of the UITabSpec associated with the custom tab.
It should be noted that, with this fix, HTML-intended custom tabs are still potentially vulnerable to cross-site scripting, and must appropriately escape or encode any data they want to output to an HTML context.

@haywhisksoftware
Treats custom tab (e.g., Logs) content as text, instead of HTML.
ba09d0d 
Fixes soabase#331.
@haywhisksoftware
Fixes a possible regression:
38fae1e 
A creator of a UITab may designate the tab to serve HTML content. This is reflected in the "html" variable of the corresponding UITabSpec.

The previous commit for issue soabase#331 would have rendered all custom tab content as plain text, which may have ruined someone's day if they were hoping that their custom tab's content would render as HTML. This change renders custom tab content as text or HTML depending on the "html" variable.

For the Log tab, the content is plain text.
@haywhisksoftware
Adds a blank line to trigger a Travis rebuild.
f9ffc67
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@haywhisksoftware