Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Strip HTML tags in API error messages #14213

Merged
merged 3 commits into from Apr 2, 2019
Merged

Strip HTML tags in API error messages #14213

merged 3 commits into from Apr 2, 2019

Conversation

sgiehl
Copy link
Member

@sgiehl sgiehl commented Mar 17, 2019

fixes #12300

@sgiehl sgiehl added not-in-changelog For issues or pull requests that should not be included in our release changelog on matomo.org. Needs Review PRs that need a code review labels Mar 17, 2019
@sgiehl sgiehl added this to the 3.10.0 milestone Mar 17, 2019
@diosmosis
Copy link
Member

Tested locally and this would decode messages for exceptions that also don't call setIsHtmlMessage(), which could introduce a possible vulnerability. Can we add an is_html_message property when the API returns exceptions? Not sure if it's the best idea to add to the API, but it's all I can think of.

CC @tsteur since it would be a change to the API

@tsteur
Copy link
Member

tsteur commented Mar 18, 2019

I don't think it's a good idea to decode all errors as it could definitely lead to various security issues. If there was such a is_html_message property, could we safely assume that it will work be safe to use these methods?

Took me a while to think about it... I would say in general, an API shouldn't return an HTML message as you don't know if the consumer can process HTML. Often it would not be possible to show HTML, eg in a mobile app etc. I would say we strip HTML tags server side for these messages, and / or have two properties: message: 'message with stripped html tags', htmlMessage: 'formatted html message'. The htmlMessage property could be eg only visible when setIsHtmlMessage is set (not sure if it is safe to put these htmlMessages into the DOM, would need to double check the safeDecode etc is all fine).

I think in the mentioned case in #12300 we could maybe just keep things simple and strip the tags and show it without the html tags?

@mattab
Copy link
Member

mattab commented Mar 19, 2019

I think in the mentioned case in #12300 we could maybe just keep things simple and strip the tags and show it without the html tags?

Sounds good to me if it works this way 👍

@mattab mattab modified the milestones: 3.11.0, 3.10.0 Mar 19, 2019
@sgiehl
Copy link
Member Author

sgiehl commented Mar 19, 2019

stripping the tags should work as well. I'll adjust the PR

@sgiehl sgiehl changed the title Safely decode api exception messages before displaying them Strip HTML tags in API error messages Mar 19, 2019
Copy link
Member

@diosmosis diosmosis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There are some test failures, but looks good

@tsteur
Copy link
Member

tsteur commented Mar 26, 2019

Random thought: Should this maybe only happen when the ROOT request is an API request? This way a lot of code can maybe still format a message correctly with HTML?

@diosmosis
Copy link
Member

Haven't tested (of course would be good to), this code might be skipped if the original format is used.

@sgiehl
Copy link
Member Author

sgiehl commented Mar 30, 2019

I've added the check for root api requests...

@tsteur
Copy link
Member

tsteur commented Mar 31, 2019

looks good

@diosmosis diosmosis merged commit 98e5378 into 3.x-dev Apr 2, 2019
@diosmosis diosmosis deleted the htmlexceptionsjs branch April 2, 2019 21:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Needs Review PRs that need a code review not-in-changelog For issues or pull requests that should not be included in our release changelog on matomo.org.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

html tags are displayed in permission error message
4 participants