URLs with line-up with sites other than the origin not working

fedwiki / wiki-server

Federated Wiki client and server in Node.js

Other

153 stars 35 forks source link

URLs with line-up with sites other than the origin not working #117

Closed paul90 closed 8 years ago

paul90 commented 8 years ago

A request for a URL with a lineup, like http://forage.rodwell.me/forage.ward.fed.wiki.org/weeds-in-the-farm/fedwikihappening.rodwell.me/weeds-in-the-farm fails with the following in the page returned by the server.

<section class='main'>
      <div class='page' id=weeds-in-the-farm data-site&#x3D;forage.ward.fed.wiki.org ></div>
      <div class='page' id=weeds-in-the-farm data-site&#x3D;fedwikihappening.rodwell.me ></div>
    </section>

WardCunningham commented 8 years ago

I noticed this strange behavior. Seems independent of origins that I have updated to latest npm version. Also fails on chrome and Firefox. I don't recognize the x3D.

paul90 commented 8 years ago

&x3D; is I think an escaped equal sign

paul90 commented 8 years ago

looks to be caused by the upgrade to Handlebars 4.x in hbs - back in October 2015!

The = character is now HTML escaped. This closes a potential exploit case when using unquoted attributes, i.e. <div foo={{bar}}>. In general it's recommended that attributes always be quoted when their values are generated from a mustache to avoid any potential exploit surfaces.