Ticket #1180 (new defect) — at Version 1

Opened 3 years ago

Last modified 3 years ago

User 'about' field put in HTML unsafely

Reported by: dread Owned by: dread
Priority: critical Milestone: ckan-v1.5-sprint-3
Component: ckan Keywords:
Cc: Repository: ckan
Theme: none

Description (last modified by dread) (diff)

User can insert bad things into their About field and when you view the user (web interface) then it causes a 500 error - something is not right here. Need to filter to just safe markdown, as we do for the package notes field. 

<a href="http://xxxsex.com>nasty/website

Also check this related exception: 

Module ckan.controllers.user:59 in read
<<          c.is_myself = user.name == c.user
               c.api_key = user.apikey
               c.about_formatted = self._format_about(user.about)
               revisions_q = model.Session.query(model.Revision
                       ).filter_by(author=user.name)
>>  c.about_formatted = self._format_about(user.about)
Module ckan.controllers.user:167 in _format_about
<<      def _format_about(self, about):
               about_formatted = ckan.misc.MarkdownFormat().to_html(about)
               return genshi.HTML(about_formatted) 
       
           def _get_form_password(self):
>>  return genshi.HTML(about_formatted)
WebApp Error: <class 'genshi.input.ParseError'>: junk characters in start tag: u'\u201dhttp://www.settingu': line 1, column 3

Change History

comment:1 Changed 3 years ago by dread

  • Description modified (diff)
Note: See TracTickets for help on using tickets.