search

scripting / a8c-FeedLand-Support

A public repo for discussing FeedLand at A8C.
1 stars 0 forks source link

Security fix broke URL params #82

Open scripting opened 7 months ago

scripting commented 7 months ago

You can see the problem by clicking on this link.

http://feedland.com/?readinglist=https%3A%2F%2Ffeedland.com%2Fopml%3Fscreenname%3Dcagrimmett%26catname%3Dbloggers

You should see an error dialog saying "Can't get info about the list because it isn't in the database."

It is in the database. The URL of the list was broken when it passed through getFirstUrlParam in feedlandHome.

The reason it broke is a security fix I added on 11/17/23 that neuters URL params so you can't inject JS code that way (that runs).

But the neutering is over zealous I guess? Will have to investigate.

scripting commented 7 months ago

Solved this problem by changing the order of neutering and decoding url params.

This url now works.

https://feedland.com/?readinglist=https%3A%2F%2Ffeedland.com%2Fopml%3Fscreenname%3Dcagrimmett%26catname%3Dbloggers#

scripting commented 7 months ago

I'm leaving this open for now in case it opens other issues. Fixing bugs like this can cause breakage.