search

textpattern / textpattern-forum

Official forum of the Textpattern project.
https://forum.textpattern.com
MIT License
13 stars 3 forks source link

Encoding, and potentially security, issues #75

Closed gocom closed 7 years ago

gocom commented 7 years ago

The values used in the application/ld+json meta-blocks errornously use HTML specific sanitizer; this could lead into JavaScript being injected to the pages through topic headings, depending on how application/ld+json is interpreted by the browser. If it has no executing abilities (which it probably doesn't on modern browsers), this will lead into invalid JSON at least.

Instead, the objects should be created and encoded using json_encode, and a HTML sanitizer that prevents ending the block (as its embedded within HTML doc). E.g.

$page_head['json-ld'] = '<script type="application/ld+json">'."\n".
    json_encode(array(
        'context' => 'https://schema',
        'type' => 'WebSite',
        'headline' => pun_htmlspecialchars($cur_topic['subject'].($p == 1 ? '' : ' ('.sprintf($lang_common['Page'], intval($p)).')')),
        'description' => pun_htmlspecialchars("Postings in'.($p == 1 ? '' : ' page '.$p.' of').' the ‘'.$cur_topic['subject'].'’ topic in the ‘'.$cur_topic['forum_name'].'’ subforum.'),
        'url' => 'https://forum.textpattern.io/viewtopic.php?id='.intval($id).($p == 1 ? '' : '&p='.intval($p),
    ))."\n".
</script>

Also the & should not be entities, as it's not HTML, but JSON.

philwareham commented 7 years ago

Thanks, I'll see about fixing this issue tomorrow morning.