Literal XML evaluated in plaintext-only messages. #264
Comments
cburschka
changed the title
var body = $('html body p', stanza).html() || $($('body', stanza)[0]).text();This is obviously, painfully wrong in hindsight. The text content of |
|
As a bugfix for 1.9.1, it is sufficient to pass the text content through Ultimately, I suspect that the message body shouldn't be serialized at all - once the XML has been evaluated, it should be kept that way throughout the rendering process. This would leave the HTML as a regular DOM node, and the plaintext as a text node (possibly wrapped in a |
cburschka
added a commit
to calref/cadence
that referenced
this issue
Jun 11, 2015
1.9.1 ===== This is a bugfix release, fixing mostly regressions from 1.9.0. Changes ------- - cburschka#204 addendum The jquery-ui icons are now copied to the CDN prefix during installation. - cburschka#256: Navigation links are now displayed again. The cburschka#213 fixes accidentally removed the link anchor texts from the navigation links. - cburschka#257: The dash theme now correctly styles buttons in dialog overlays, which lack the .button class and must be selected with .dialog button. - cburschka#258: Backslash escape sequences are now correctly stripped in parseArgs(), which only stripped the first sequence in each argument before. - cburschka#263: /version now shows the client version as just "v0.0.0" instead of (inaccurately) "cadence-v0.0.0". - cburschka#264: Plaintext messages (only generated by clients other than cadence, which sends all messages with an XHTML-IM body) are now properly escaped rather than being interpreted as HTML code. - cburschka#265: Room history messages are now attributed to users in the room by their JID. This properly styles authors who changed their nickname after sending the message, and does not misidentify authors whose former nickname is now being used by someone else. - cburschka#266: A :flutterkay: emote has been added.
cburschka
added a commit
to calref/cadence
that referenced
this issue
Dec 16, 2015
1.10.0 - Starlight ================== This long-delayed release makes minor improvements to the UI, fixes several bugs in room history and plaintext message bodies, and adds eleven new ponicons. Features -------- - cburschka#252: Print role and affiliation changes. - cburschka#254: /admin command is now interactive. - cburschka#260: Changes to the timestamp format are now applied retroactively. - cburschka#266: New :flutterkay: emote. - cburschka#272: Reformat the plaintext body as Markdown. - cburschka#275: The OMG theme has been removed. - cburschka#281: Ten new ponicons: :goodjob:, :calm: :ajcry:, :ajdoubt:, :pinkieglare:, :rarityeww:, :spikewhoa:, :skeptiloo:, :twipbbt: and :wasntme:. Bugfixes -------- - cburschka#204: Install jquery-ui icons in the CDN prefix. - cburschka#256: Add the navigation bar links' anchor texts. - cburschka#257: Style the dialog buttons in the "dash" theme. - cburschka#258: Strip backslashes in command arguments. - cburschka#264: If other clients send only a plaintext body, escape it. - cburschka#265: Attribute delayed messages by JID, not by nick. - cburschka#267: Add JID (and flair classes) to history authors who are now absent. - cburschka#268: Make an empty alert field not cause an alert on all messages. - cburschka#273: Handle "forbidden" message error. - cburschka#274: Convert JID user class to lower-case. - cburschka#276: Fix a crash when joining a room with verbosity turned off. - cburschka#278: Strip hidden markup when saving an HTML log. Minor changes ------------- - cburschka#263: The /version command no longer prefixes the version with "cadence-". - Refactor chat.commands to alphabetical order. - cburschka#277: Update the JS libraries. - Add doc comments to visual.messagesToText and visual.ellipsis. - cburschka#280: All CalRef-specific ponicons have been removed from the master branch. - cburschka#282: Store the persistent font color as a data attribute, not a class.
cburschka
added a commit
that referenced
this issue
Dec 20, 2015
1.9.1 ===== This is a bugfix release, fixing mostly regressions from 1.9.0. Changes ------- - #204 addendum The jquery-ui icons are now copied to the CDN prefix during installation. - #256: Navigation links are now displayed again. The #213 fixes accidentally removed the link anchor texts from the navigation links. - #257: The dash theme now correctly styles buttons in dialog overlays, which lack the .button class and must be selected with .dialog button. - #258: Backslash escape sequences are now correctly stripped in parseArgs(), which only stripped the first sequence in each argument before. - #263: /version now shows the client version as just "v0.0.0" instead of (inaccurately) "cadence-v0.0.0". - #264: Plaintext messages (only generated by clients other than cadence, which sends all messages with an XHTML-IM body) are now properly escaped rather than being interpreted as HTML code. - #265: Room history messages are now attributed to users in the room by their JID. This properly styles authors who changed their nickname after sending the message, and does not misidentify authors whose former nickname is now being used by someone else.
cburschka
added a commit
that referenced
this issue
Dec 20, 2015
1.10.0 - Starlight ================== This long-delayed release makes minor improvements to the UI, fixes several bugs in room history and plaintext message bodies, and adds eleven new ponicons. Features -------- - #252: Print role and affiliation changes. - #254: /admin command is now interactive. - #260: Changes to the timestamp format are now applied retroactively. - #272: Reformat the plaintext body as Markdown. - #275: The OMG theme has been removed. Bugfixes -------- - #204: Install jquery-ui icons in the CDN prefix. - #256: Add the navigation bar links' anchor texts. - #257: Style the dialog buttons in the "dash" theme. - #258: Strip backslashes in command arguments. - #264: If other clients send only a plaintext body, escape it. - #265: Attribute delayed messages by JID, not by nick. - #267: Add JID (and flair classes) to history authors who are now absent. - #268: Make an empty alert field not cause an alert on all messages. - #273: Handle "forbidden" message error. - #274: Convert JID user class to lower-case. - #276: Fix a crash when joining a room with verbosity turned off. - #278: Strip hidden markup when saving an HTML log. Minor changes ------------- - #263: The /version command no longer prefixes the version with "cadence-". - Refactor chat.commands to alphabetical order. - #277: Update the JS libraries. - Add doc comments to visual.messagesToText and visual.ellipsis. - #280: All CalRef-specific ponicons have been removed from the master branch. - #282: Store the persistent font color as a data attribute, not a class. Conflicts: VERSION emoticon-packs/ponicons/emoticons.conf emoticon-packs/ponicons/sombra.png
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
When a message without an XHTML-IM body arrives, cadence seems to evaluate the plaintext body (after any XML entity armor has been removed) as HTML.
This isn't a security issue as HTML is carefully sanitized before actual presentation, but it can cause unintentional effects as seen above.
The text was updated successfully, but these errors were encountered: