contribute.jquery.org: Sanitize input before rendering as HTML

jquery / jquery-wp-content

WordPress themes and plugins for the jQuery sites

GNU General Public License v2.0

253 stars 169 forks source link

contribute.jquery.org: Sanitize input before rendering as HTML #393

Closed gibson042 closed 6 years ago

gibson042 commented 8 years ago

cf. http://contribute.jquery.org/CLA/status/?owner=jquery&repo=jquery&sha=e217c1949f625c4c4ae7b9e93943310c73ef55ac

mgol commented 8 years ago

The link no longer works.

gibson042 commented 8 years ago

Well, I suppose the consequences of submitting commit hashes containing single-quote characters (or worse) without this change are obvious.

mgol commented 8 years ago

Yeah, that's true.

mgol commented 8 years ago

This may only bite in combination with CLA checker bugs, right? User-provided input was already sanitized, repo/owner/sha are first used to generate $data and nothing would be found for rogue fake ones.

gibson042 commented 8 years ago

I believe that's correct.

mgol commented 8 years ago

OK, it shouldn't be extremely critical then. LGTM.

gibson042 commented 7 years ago

A year and a half with no injection attacks, but I updated it anyway. :upside_down_face: