Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Markup hygiene #213

Closed
cburschka opened this issue May 10, 2015 · 1 comment
Closed

Markup hygiene #213

cburschka opened this issue May 10, 2015 · 1 comment
Assignees
@cburschka
Labels
bug security
Milestone
1.9.0 - Sunset

Comments

@cburschka
Copy link
Owner

The most severe vulnerability has been solved by #192 / #196, but all is not completely well.

There are a few other places where we generate markup that contains unescaped values. They tend to be length-limited and therefore not vulnerable to full scripting attacks (or at most just syntax errors), and a lot of values require file access to the installation to change. But it's not clean.

What needs to be examined:

  • All places that directly generate markup.
  • All places that use '{raw.*}' variables for visual.format.text.
@cburschka cburschka self-assigned this May 10, 2015
@cburschka cburschka added this to the cadence 1.9 milestone May 10, 2015
@cburschka
Copy link
Owner Author

Any places that generate and evaluate their own markup directly could probably generate it before injecting attributes and content via jquery, which saves the need for sanitation.

cburschka added a commit that referenced this issue May 26, 2015
@cburschka
Merge tag 'v1.9.0' into generic
4a461e0 
1.9 - Sunset
============

This release adds several major new features, along with a lot of improvements
to the user interface.

Features
--------

- #5, #247: Context menus are now attached to users and rooms. These are triggered
            by a right click by default, which can be switched to a left click
            or hover event, or disabled entirely.
            Context menus provide shortcuts for most of the user- or room-
            related chat commands.

- #204: Rooms can be configured interactively by calling `/configure` without
        any arguments or with the `--interactive` option. This opens the room
        configuration form in a dialog overlay.
        `/create --interactive` brings up the same form during room creation.

- #156: Users (by JID) can be invited to the current chatroom using the command
        `/invite <jid>`, which uses XMPP standards and is therefore compatible
        with other chat clients. Incoming invitations are displayed to the user
        with a link to the specified room.

- #243: Cadence can now join password-protected rooms via a `--password` argument
        to `/join`. If the server denies room access due to a missing or wrong
        password, the client prompts for the password and immediately retries.

- #244: Room owners can destroy a room (ie. instantly remove it and expel all
        its current occupants) via the `/destroy [<room>]` command. This command
        requires a confirmation before the room is destroyed.

- #218: Sound settings can be tested with a "preview" button which immediately
        plays the selected sound.

- #170: The settings sidebar is now split into three tabs.

- #212: The `/whois` command prints basic user information (JID, role, affiliation).

- #232: `/admin` now supports arbitrary service administration commands as defined
        by [XEP-0133](http://xmpp.org/extensions/xep-0133.html). Form values can be
        supplied as command-line arguments.
        The biggest change is that the MOTD must now be set with `/admin set-motd`
        rather than `/admin motd`, because that is the real name of the command.

Fixes
-----

- #213: All strings in dynamically generated markup are now either escaped or
        added (as attributes or text nodes) via jQuery. This ensures that strings
        can never create markup unless they are added to a format string
        with a `raw:` format specifier.

- #216: HTML (`<b>`) is no longer added to web notifications. This is a vendor-
        specific feature only supported by some desktop environments.

- #221: All ponymotes have been converted to bitmaps and re-converted to PN to
        fix some odd color inconsistencies.

- #222: The `dnd` icon has been resized to 16x16 like other status icons.

- #223: Message recipients now have the correct JID classes (and thus flairs).

- #231: Handle arbitrary <show> values. The server passes on the <show/> element
        in user presences without filtering, and therefore it can neither be
        relied on to have one of the standard values (away, dnd, xa, chat) nor
        be safe for inclusion in an HTML class attribute without escaping.

Minor enhancements
------------------

- #200: The carhartl/jquery-cookie library is updated to js-cookie/js-cookie.

- #211: Rooms are now rendered as full links (with context menus as of #247)
        everywhere, not just in the `/list` output.

- #214: An error in the :ajfrown: emote has been fixed by @Nebedia.

- #215: Most commands now support a named argument syntax, eg.
        `/msg --nick "<nick>" --msg "<msg>"`.

- #217: The "Make URLs clickable" setting now applies retroactively.

- #219, #220: HTML validation errors fixed in static markup.

- #224: Add "missing arguments" error conditions to commands.

- #225: Hard-coded error string in `/who` moved to strings.js.

- #226: Block `/affiliate` command outside room context.

- #227: Print error messages if `/configure` fails.

- #228, #229: Rewrote `/affiliate` and made `/ban` and `/unban` shortcuts for
              `/affiliate outcast` / `/affiliate none`.

- #230: The /msg and /dmsg commands use chat.parseArgs().

- #233: strings.info is now sorted alphabetically.

- #236: Users without a nick (ie. non-occupants) no longer have a fake nick
        attribute only used for display. Instead, their displayed name is directly
        generated from their bare JID.

- #238: The Cadence version of jquery-replacetext is now a standalone jquery plugin,
        and is included as a submodule.

- #239: xbbcode is now updated to 1.0.0, the first public release.
        This fixes an error with improperly nested tags.

- #240: A nick collision while joining a room now prompts for a different nickname
        rather than automatically appending a number.

- #241: Users get the room name instead of "You have been banned from {room}!"
        when they are banned.

- #242: /whois prints "---" for the JID in anonymous rooms.

- #245: Cleaned up string formatting. Formats are now specified with `{format:var}`
        instead of `{format.var}`, and the variable key is `var` instead of `format.var`.
        Names and formats can contain any word characters, not just [a-z].
        Variables are only formatted when they are actually used by the template.

- #246: `/configure --title "<...>"` now targets the current room instead of a
        room named <...>.

- #248: Context menu items are only enabled when the current state allows them.

- #249: Form dialogs can now be made from any form, not just jabber:data-form stanzas.

- #251: Context menus and dialog overlays now visually match the current theme.

- #253: :droneriots: and :yay: are removed from the main Cadence branch.

- #255 et al: Several style fixes for Firefox and Chromium.
cburschka added a commit to calref/cadence that referenced this issue May 26, 2015
@cburschka
Merge tag 'v1.9.0' into calref-1.9
b3a2d66 
1.9 - Sunset
============

This release adds several major new features, along with a lot of improvements
to the user interface.

Features
--------

- #5, cburschka#247: Context menus are now attached to users and rooms. These are triggered
            by a right click by default, which can be switched to a left click
            or hover event, or disabled entirely.
            Context menus provide shortcuts for most of the user- or room-
            related chat commands.

- cburschka#204: Rooms can be configured interactively by calling `/configure` without
        any arguments or with the `--interactive` option. This opens the room
        configuration form in a dialog overlay.
        `/create --interactive` brings up the same form during room creation.

- cburschka#156: Users (by JID) can be invited to the current chatroom using the command
        `/invite <jid>`, which uses XMPP standards and is therefore compatible
        with other chat clients. Incoming invitations are displayed to the user
        with a link to the specified room.

- cburschka#243: Cadence can now join password-protected rooms via a `--password` argument
        to `/join`. If the server denies room access due to a missing or wrong
        password, the client prompts for the password and immediately retries.

- cburschka#244: Room owners can destroy a room (ie. instantly remove it and expel all
        its current occupants) via the `/destroy [<room>]` command. This command
        requires a confirmation before the room is destroyed.

- cburschka#218: Sound settings can be tested with a "preview" button which immediately
        plays the selected sound.

- cburschka#170: The settings sidebar is now split into three tabs.

- cburschka#212: The `/whois` command prints basic user information (JID, role, affiliation).

- cburschka#232: `/admin` now supports arbitrary service administration commands as defined
        by [XEP-0133](http://xmpp.org/extensions/xep-0133.html). Form values can be
        supplied as command-line arguments.
        The biggest change is that the MOTD must now be set with `/admin set-motd`
        rather than `/admin motd`, because that is the real name of the command.

Fixes
-----

- cburschka#213: All strings in dynamically generated markup are now either escaped or
        added (as attributes or text nodes) via jQuery. This ensures that strings
        can never create markup unless they are added to a format string
        with a `raw:` format specifier.

- cburschka#216: HTML (`<b>`) is no longer added to web notifications. This is a vendor-
        specific feature only supported by some desktop environments.

- cburschka#221: All ponymotes have been converted to bitmaps and re-converted to PN to
        fix some odd color inconsistencies.

- cburschka#222: The `dnd` icon has been resized to 16x16 like other status icons.

- cburschka#223: Message recipients now have the correct JID classes (and thus flairs).

- cburschka#231: Handle arbitrary <show> values. The server passes on the <show/> element
        in user presences without filtering, and therefore it can neither be
        relied on to have one of the standard values (away, dnd, xa, chat) nor
        be safe for inclusion in an HTML class attribute without escaping.

Minor enhancements
------------------

- cburschka#200: The carhartl/jquery-cookie library is updated to js-cookie/js-cookie.

- cburschka#211: Rooms are now rendered as full links (with context menus as of cburschka#247)
        everywhere, not just in the `/list` output.

- cburschka#214: An error in the :ajfrown: emote has been fixed by @Nebedia.

- cburschka#215: Most commands now support a named argument syntax, eg.
        `/msg --nick "<nick>" --msg "<msg>"`.

- cburschka#217: The "Make URLs clickable" setting now applies retroactively.

- cburschka#219, cburschka#220: HTML validation errors fixed in static markup.

- cburschka#224: Add "missing arguments" error conditions to commands.

- cburschka#225: Hard-coded error string in `/who` moved to strings.js.

- cburschka#226: Block `/affiliate` command outside room context.

- cburschka#227: Print error messages if `/configure` fails.

- cburschka#228, cburschka#229: Rewrote `/affiliate` and made `/ban` and `/unban` shortcuts for
              `/affiliate outcast` / `/affiliate none`.

- cburschka#230: The /msg and /dmsg commands use chat.parseArgs().

- cburschka#233: strings.info is now sorted alphabetically.

- cburschka#236: Users without a nick (ie. non-occupants) no longer have a fake nick
        attribute only used for display. Instead, their displayed name is directly
        generated from their bare JID.

- cburschka#238: The Cadence version of jquery-replacetext is now a standalone jquery plugin,
        and is included as a submodule.

- cburschka#239: xbbcode is now updated to 1.0.0, the first public release.
        This fixes an error with improperly nested tags.

- cburschka#240: A nick collision while joining a room now prompts for a different nickname
        rather than automatically appending a number.

- cburschka#241: Users get the room name instead of "You have been banned from {room}!"
        when they are banned.

- cburschka#242: /whois prints "---" for the JID in anonymous rooms.

- cburschka#245: Cleaned up string formatting. Formats are now specified with `{format:var}`
        instead of `{format.var}`, and the variable key is `var` instead of `format.var`.
        Names and formats can contain any word characters, not just [a-z].
        Variables are only formatted when they are actually used by the template.

- cburschka#246: `/configure --title "<...>"` now targets the current room instead of a
        room named <...>.

- cburschka#248: Context menu items are only enabled when the current state allows them.

- cburschka#249: Form dialogs can now be made from any form, not just jabber:data-form stanzas.

- cburschka#251: Context menus and dialog overlays now visually match the current theme.

- cburschka#253: :droneriots: and :yay: are removed from the main Cadence branch.

- cburschka#255 et al: Several style fixes for Firefox and Chromium.

Conflicts:
	VERSION
	js/core/chat.js
	js/core/config.tpl.js
cburschka added a commit that referenced this issue May 26, 2015
@cburschka
Merge tag 'v1.9.0' into calref
a442928 
1.9 - Sunset
============

This release adds several major new features, along with a lot of improvements
to the user interface.

Features
--------

- #5, #247: Context menus are now attached to users and rooms. These are triggered
            by a right click by default, which can be switched to a left click
            or hover event, or disabled entirely.
            Context menus provide shortcuts for most of the user- or room-
            related chat commands.

- #204: Rooms can be configured interactively by calling `/configure` without
        any arguments or with the `--interactive` option. This opens the room
        configuration form in a dialog overlay.
        `/create --interactive` brings up the same form during room creation.

- #156: Users (by JID) can be invited to the current chatroom using the command
        `/invite <jid>`, which uses XMPP standards and is therefore compatible
        with other chat clients. Incoming invitations are displayed to the user
        with a link to the specified room.

- #243: Cadence can now join password-protected rooms via a `--password` argument
        to `/join`. If the server denies room access due to a missing or wrong
        password, the client prompts for the password and immediately retries.

- #244: Room owners can destroy a room (ie. instantly remove it and expel all
        its current occupants) via the `/destroy [<room>]` command. This command
        requires a confirmation before the room is destroyed.

- #218: Sound settings can be tested with a "preview" button which immediately
        plays the selected sound.

- #170: The settings sidebar is now split into three tabs.

- #212: The `/whois` command prints basic user information (JID, role, affiliation).

- #232: `/admin` now supports arbitrary service administration commands as defined
        by [XEP-0133](http://xmpp.org/extensions/xep-0133.html). Form values can be
        supplied as command-line arguments.
        The biggest change is that the MOTD must now be set with `/admin set-motd`
        rather than `/admin motd`, because that is the real name of the command.

Fixes
-----

- #213: All strings in dynamically generated markup are now either escaped or
        added (as attributes or text nodes) via jQuery. This ensures that strings
        can never create markup unless they are added to a format string
        with a `raw:` format specifier.

- #216: HTML (`<b>`) is no longer added to web notifications. This is a vendor-
        specific feature only supported by some desktop environments.

- #221: All ponymotes have been converted to bitmaps and re-converted to PN to
        fix some odd color inconsistencies.

- #222: The `dnd` icon has been resized to 16x16 like other status icons.

- #223: Message recipients now have the correct JID classes (and thus flairs).

- #231: Handle arbitrary <show> values. The server passes on the <show/> element
        in user presences without filtering, and therefore it can neither be
        relied on to have one of the standard values (away, dnd, xa, chat) nor
        be safe for inclusion in an HTML class attribute without escaping.

Minor enhancements
------------------

- #200: The carhartl/jquery-cookie library is updated to js-cookie/js-cookie.

- #211: Rooms are now rendered as full links (with context menus as of #247)
        everywhere, not just in the `/list` output.

- #214: An error in the :ajfrown: emote has been fixed by @Nebedia.

- #215: Most commands now support a named argument syntax, eg.
        `/msg --nick "<nick>" --msg "<msg>"`.

- #217: The "Make URLs clickable" setting now applies retroactively.

- #219, #220: HTML validation errors fixed in static markup.

- #224: Add "missing arguments" error conditions to commands.

- #225: Hard-coded error string in `/who` moved to strings.js.

- #226: Block `/affiliate` command outside room context.

- #227: Print error messages if `/configure` fails.

- #228, #229: Rewrote `/affiliate` and made `/ban` and `/unban` shortcuts for
              `/affiliate outcast` / `/affiliate none`.

- #230: The /msg and /dmsg commands use chat.parseArgs().

- #233: strings.info is now sorted alphabetically.

- #236: Users without a nick (ie. non-occupants) no longer have a fake nick
        attribute only used for display. Instead, their displayed name is directly
        generated from their bare JID.

- #238: The Cadence version of jquery-replacetext is now a standalone jquery plugin,
        and is included as a submodule.

- #239: xbbcode is now updated to 1.0.0, the first public release.
        This fixes an error with improperly nested tags.

- #240: A nick collision while joining a room now prompts for a different nickname
        rather than automatically appending a number.

- #241: Users get the room name instead of "You have been banned from {room}!"
        when they are banned.

- #242: /whois prints "---" for the JID in anonymous rooms.

- #245: Cleaned up string formatting. Formats are now specified with `{format:var}`
        instead of `{format.var}`, and the variable key is `var` instead of `format.var`.
        Names and formats can contain any word characters, not just [a-z].
        Variables are only formatted when they are actually used by the template.

- #246: `/configure --title "<...>"` now targets the current room instead of a
        room named <...>.

- #248: Context menu items are only enabled when the current state allows them.

- #249: Form dialogs can now be made from any form, not just jabber:data-form stanzas.

- #251: Context menus and dialog overlays now visually match the current theme.

- #253: :droneriots: and :yay: are removed from the main Cadence branch.

- #255 et al: Several style fixes for Firefox and Chromium.

Conflicts:
	VERSION
	js/core/chat.js
	js/core/config.tpl.js
@cburschka cburschka mentioned this issue May 31, 2015
Closed
cburschka added a commit to calref/cadence that referenced this issue Jun 11, 2015
@cburschka
Merge tag 'v1.9.1' into calref
ad583c4 
1.9.1
=====

This is a bugfix release, fixing mostly regressions from 1.9.0.

Changes
-------

- cburschka#204 addendum The jquery-ui icons are now copied to the CDN prefix
       during installation.

- cburschka#256: Navigation links are now displayed again. The cburschka#213 fixes accidentally
        removed the link anchor texts from the navigation links.

- cburschka#257: The dash theme now correctly styles buttons in dialog overlays,
        which lack the .button class and must be selected with .dialog button.

- cburschka#258: Backslash escape sequences are now correctly stripped in parseArgs(),
        which only stripped the first sequence in each argument before.

- cburschka#263: /version now shows the client version as just "v0.0.0" instead of
        (inaccurately) "cadence-v0.0.0".

- cburschka#264: Plaintext messages (only generated by clients other than cadence,
        which sends all messages with an XHTML-IM body) are now properly escaped
        rather than being interpreted as HTML code.

- cburschka#265: Room history messages are now attributed to users in the room by their JID.
        This properly styles authors who changed their nickname after sending the
        message, and does not misidentify authors whose former nickname is now
        being used by someone else.

- cburschka#266: A :flutterkay: emote has been added.
cburschka added a commit that referenced this issue Dec 20, 2015
@cburschka
Merge tag 'v1.9.1' into generic
a0b81ac 
1.9.1
=====

This is a bugfix release, fixing mostly regressions from 1.9.0.

Changes
-------

- #204 addendum The jquery-ui icons are now copied to the CDN prefix
       during installation.

- #256: Navigation links are now displayed again. The #213 fixes accidentally
        removed the link anchor texts from the navigation links.

- #257: The dash theme now correctly styles buttons in dialog overlays,
        which lack the .button class and must be selected with .dialog button.

- #258: Backslash escape sequences are now correctly stripped in parseArgs(),
        which only stripped the first sequence in each argument before.

- #263: /version now shows the client version as just "v0.0.0" instead of
        (inaccurately) "cadence-v0.0.0".

- #264: Plaintext messages (only generated by clients other than cadence,
        which sends all messages with an XHTML-IM body) are now properly escaped
        rather than being interpreted as HTML code.

- #265: Room history messages are now attributed to users in the room by their JID.
        This properly styles authors who changed their nickname after sending the
        message, and does not misidentify authors whose former nickname is now
        being used by someone else.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@cburschka cburschka

Labels
bug security
Projects
None yet
Milestone
1.9.0 - Sunset
Development

No branches or pull requests
1 participant
@cburschka