From ea2b6e3608624a2a14af1956a3ad0035b7fb09f0 Mon Sep 17 00:00:00 2001 From: Peter De Wachter Date: Wed, 14 Aug 2019 09:33:54 +0200 Subject: [PATCH] addImageTitle: Fix HTML injection This rewrite rule would change this: to this:
The image title needs to be properly escaped. --- reader/rewrite/rewrite_functions.go | 3 ++- reader/rewrite/rewriter_test.go | 9 +++++++++ 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/reader/rewrite/rewrite_functions.go b/reader/rewrite/rewrite_functions.go index 6ce96937..667f3591 100644 --- a/reader/rewrite/rewrite_functions.go +++ b/reader/rewrite/rewrite_functions.go @@ -6,6 +6,7 @@ package rewrite // import "miniflux.app/reader/rewrite" import ( "fmt" + "html" "regexp" "strings" @@ -32,7 +33,7 @@ func addImageTitle(entryURL, entryContent string) string { srcAttr, _ := img.Attr("src") titleAttr, _ := img.Attr("title") - img.ReplaceWithHtml(`
` + altAttr + `

` + titleAttr + `

`) + img.ReplaceWithHtml(`
` + altAttr + `

` + html.EscapeString(titleAttr) + `

`) }) output, _ := doc.Find("body").First().Html() diff --git a/reader/rewrite/rewriter_test.go b/reader/rewrite/rewriter_test.go index fe37b539..9bd83e84 100644 --- a/reader/rewrite/rewriter_test.go +++ b/reader/rewrite/rewriter_test.go @@ -61,6 +61,15 @@ func TestRewriteWithXkcdLink(t *testing.T) { } } +func TestRewriteWithXkcdLinkHtmlInjection(t *testing.T) { + description := `<foo>` + output := Rewriter("https://xkcd.com/1912/", description, ``) + expected := `
<foo>

<foo>

` + if expected != output { + t.Errorf(`Not expected output: got "%s" instead of "%s"`, output, expected) + } +} + func TestRewriteWithXkcdLinkAndImageNoTitle(t *testing.T) { description := `Your problem is so terrible, I worry that, if I help you, I risk drawing the attention of whatever god of technology inflicted it on you.` output := Rewriter("https://xkcd.com/1912/", description, ``)