Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use angular to sanitize plugin description. #13714

Merged
merged 2 commits into from Dec 8, 2018
Merged

Use angular to sanitize plugin description. #13714

merged 2 commits into from Dec 8, 2018

Conversation

diosmosis
Copy link
Member

No description provided.

@diosmosis diosmosis added the Needs Review PRs that need a code review label Nov 14, 2018
@diosmosis diosmosis added this to the 3.8.0 milestone Nov 14, 2018
tsteur
tsteur reviewed Nov 14, 2018
View reviewed changes
plugins/CorePluginsAdmin/templates/macros.twig Outdated
@@ -141,7 +141,7 @@
</div>
<div class="plugin-desc-text">

{{ plugin.info.description|raw|nl2br }}
<div ng-bind-html="{{ plugin.info.description|raw|nl2br|json_encode|e('html_attr') }}"></div>
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It seems the only plugin that uses html is custom variables? I'd be tempted to simply not allow HTML in the plugin description.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Don't have an opinion personally.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'll remove the HTML from custom variables and no longer allow HTML there.

tsteur
tsteur reviewed Dec 6, 2018
View reviewed changes
plugins/CorePluginsAdmin/templates/macros.twig Outdated
@@ -150,7 +150,7 @@
'https://matomo.org', 'https://www.matomo.org', 'https://matomo.org/', 'https://www.matomo.org/'
] %}
<span class="plugin-homepage">
<a target="_blank" rel="noreferrer noopener" href="{{ plugin.info.homepage }}">({{ 'CorePluginsAdmin_PluginHomepage'|translate|replace({' ': '&nbsp;'})|raw }})</a>
<a target="_blank" rel="noreferrer noopener" href="{{ plugin.info.homepage|e('url') }}">({{ 'CorePluginsAdmin_PluginHomepage'|translate|replace({' ': '&nbsp;'})|raw }})</a>
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

e('url') cannot be used on a full link, but only on a component. It breaks the URL...

I'll replace it with html_attr

@tsteur
Copy link
Member

tsteur commented Dec 6, 2018

@diosmosis see last commit, I fixed the homepage URL link and no longer allow HTML in the description.

@diosmosis diosmosis merged commit 11fefdf into 3.x-dev Dec 8, 2018
@diosmosis diosmosis deleted the escape-plugin-description branch December 8, 2018 23:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tsteur tsteur tsteur left review comments

Assignees
No one assigned
Labels
Needs Review PRs that need a code review
Projects
None yet
Milestone
3.8.0
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@diosmosis @tsteur