Escaping HTML in Contact Users Nicknames #274

s-rah · 2015-10-12T04:50:49Z

It turns out that if you enter html into a nickname it
doesn't get rendered during the initial contact request, but
if accepted, the html will render in the contacts column and
in the setting menu.

Mostly this isn't an issue (the odd style issue when users
set their nicks to be h1) however - it is possible, in the
limited 30 character space to construct an img tag which -
providing they can create a url short enough is enough to
automatically render the image and reveal the users IP
address to the server where the image is located.

This fix forces contact nick names to have html escaped.

It turns out that if you enter html into a nickname it doesn't get rendered during the initial contact request, but if requested, the html will render in the contacts column and in the setting menu. Mostly this isn't an issue (the odd style issue when users set their nicks to be <h1>) however - it is possible, in the limited 30 character space to construct an <img> tag which - providing they can create a url short enough is enough to automatically render the image and reveal the users IP address. This very simple fix forces contact nick names to have html escaped.

s-rah mentioned this pull request Nov 9, 2015

Block External Entity Resolution (or force through Tor) #303

Closed

special closed this in af026c2 Dec 23, 2015

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Escaping HTML in Contact Users Nicknames #274

Escaping HTML in Contact Users Nicknames #274

s-rah commented Oct 12, 2015

Escaping HTML in Contact Users Nicknames #274

Escaping HTML in Contact Users Nicknames #274

Conversation

s-rah commented Oct 12, 2015