search

wolverine2k / crunchy

Automatically exported from code.google.com/p/crunchy
0 stars 0 forks source link

POTENTIAL SECURITY RISK: no_style #177

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago 
Just recording the potential security risk - it might no longer be an issue
with the new Pygments based styling BUT could become one again.

If a tutorial writer used the "no_style" option (as it used to exist),
Crunchy would leave all styling in place.  This could have allowed the
insertion of hidden code e.g.
<pre title="doctest no_style">
>>> <span style="display:none">do_nasty_stuff()</span>
>>> print "innocent looking code"
</pre>
A user would have *no* clue that the hidden code (extracted behind the
scene) by Crunchy, could be executed at the click of a button.

Even if this is now a non-issue, we need to write at least a "test page"
recording this so that future developers would not make the same mistake.

It seemed innocent enough: leaving the possibility of a tutorial writer to
define his/her own great looking style...  With Pygments, enough styles are
now possible (and more could be created) so that a tutorial writer could
suggest a style to use - without compromising Crunchy's security.

Original issue reported on code.google.com by andre.ro...@gmail.com on 11 Sep 2008 at 9:25

GoogleCodeExporter commented 8 years ago 
This does not appear to be a problem: no_style is no longer recognized.  
Keeping the
issue alive until no_style is removed from the documentation OR re-implemented 
but
shown to be safe.

Original comment by andre.ro...@gmail.com on 3 Oct 2008 at 9:06

GoogleCodeExporter commented 8 years ago 
no_style removed from documentation - and an explanation added in the 
documentation
pointing out this problem for future reference.  A functional test case (html 
page)
has also been added.

Original comment by andre.ro...@gmail.com on 5 Oct 2008 at 5:08

GoogleCodeExporter commented 8 years ago 
It is possible, following changes in revision 1037, to hide code ...
I need to find a better way to prevent this from happening...

Making this issue alive again.

Original comment by andre.ro...@gmail.com on 6 Oct 2008 at 3:05

GoogleCodeExporter commented 8 years ago 
Fixed in revision 1038.

Original comment by andre.ro...@gmail.com on 6 Oct 2008 at 11:25