Skip to content

GitLab

  • Projects
  • Groups
  • Snippets
  • Help
    • Loading...
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
briar
briar
  • Project overview
    • Project overview
    • Details
    • Activity
    • Releases
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 694
    • Issues 694
    • List
    • Boards
    • Labels
    • Service Desk
    • Milestones
  • Merge Requests 15
    • Merge Requests 15
  • CI / CD
    • CI / CD
    • Pipelines
    • Jobs
    • Schedules
  • Operations
    • Operations
    • Incidents
    • Environments
  • Analytics
    • Analytics
    • CI / CD
    • Repository
    • Value Stream
  • Wiki
    • Wiki
  • Members
    • Members
  • Collapse sidebar
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
  • briar
  • briarbriar
  • Issues
  • #911

Closed
Open
Opened Mar 23, 2017 by akwizgran@akwizgranOwner

HTML in blog posts should be sanitised

Links in manually created blog posts can specify any protocol. This can be used to specify the intent:// protocol handler, which makes creation of intents possible. This can be used to crash the app when the user clicks on a link. Other malicious actions might be possible.

All HTML should be passed through the HTML sanitiser before being rendered, and we should ensure that the sanitiser removes URLs with unknown protocols.

Assignee
Assign to
Milestone G
Milestone
Milestone G (Past due)
Assign milestone
Time tracking
None
Due date
None
Reference: briar/briar#911