Steps to reproduce
Fetch article with HTML code.
For example CVE-2020-21976 with RSS source:
<item>
<title>CVE-2020-21976</title>
<description>An arbitrary file upload in the <input type="file" name="user_image"> component of NewsOne CMS v1.1.0 allows attackers to webshell and execute arbitrary commands. (CVSS:9.0) (Last Update:2021-08-19)</description>
<link>http://www.cvedetails.com/cve/CVE-2020-21976/</link>
<pubDate>2021-08-11</pubDate>
</item>
<item>
Actual result
HTML code <input type="file" name="user_image"> in <description> is rendered in preview of the article
When article is loaded in internal browser there is no problem
My settings in Options - Browser - General - Content:
Load images - checked (HTML is rendered even when unchecked)
Enable JavaScript - unchecked
Enable plug-ins - unchecked
Expected result
Code should not be rendered by default
Add "Enable HTML" checkbox like there is for JavaScript ? (uncheck would show raw text)
Maybe with subcheckbox "Allow only safe tags", which would sanitize <title>, <description>, <link>, <pubDate> tags ?
QuiteRSS 0.19.4 There is similar issue related to JavaScript https://github.com/QuiteRSS/quiterss/issues/1439 This issue is about HTML
Steps to reproduce Fetch article with HTML code. For example CVE-2020-21976 with RSS source:
Actual result HTML code
<input type="file" name="user_image">
in<description>
is rendered in preview of the articleWhen article is loaded in internal browser there is no problem
My settings in Options - Browser - General - Content: Load images - checked (HTML is rendered even when unchecked) Enable JavaScript - unchecked Enable plug-ins - unchecked
Expected result Code should not be rendered by default Add "Enable HTML" checkbox like there is for JavaScript ? (uncheck would show raw text) Maybe with subcheckbox "Allow only safe tags", which would sanitize
<title>
,<description>
,<link>
,<pubDate>
tags ?