The uid property is opaque to the client, and is the value the client sends in the Micropub request to indicate the targets to syndicate to.
I use HTML (a Bridgy Publish link) as the uid… which breaks Woodwind:
This is vulnerable to XSS — although in this case a user can only attack their own browser, putting untrusted strings directly into HTML is not a good idea.
Woodwind should escape the uid in the template, and unescape when sending Micropub post requests.
kylewm
commented
8 years ago
In the new Micropub syndication targets format, the
uidfield can be literally anything:I use HTML (a Bridgy Publish link) as the
uid… which breaks Woodwind:This is vulnerable to XSS — although in this case a user can only attack their own browser, putting untrusted strings directly into HTML is not a good idea.
Woodwind should escape the
uidin the template, and unescape when sending Micropub post requests.