diff options
author | Florian Bruhin <git@the-compiler.org> | 2018-06-21 21:20:19 +0200 |
---|---|---|
committer | Florian Bruhin <git@the-compiler.org> | 2018-06-21 21:43:53 +0200 |
commit | 4c9360237f186681b1e3f2a0f30c45161cf405c7 (patch) | |
tree | 871558da1c2473f55870079f093e7b701e6b021a | |
parent | 10538738e0203a35b312be3d5331a77013bbc090 (diff) | |
download | qutebrowser-4c9360237f186681b1e3f2a0f30c45161cf405c7.tar.gz qutebrowser-4c9360237f186681b1e3f2a0f30c45161cf405c7.zip |
Fix XSS issue on qute://history
Fixes #4011
(cherry picked from commit 5a7869f2feaa346853d2a85413d6527c87ef0d9f)
-rw-r--r-- | qutebrowser/browser/qutescheme.py | 6 | ||||
-rw-r--r-- | tests/end2end/data/issue4011.html | 10 | ||||
-rw-r--r-- | tests/end2end/features/history.feature | 5 |
3 files changed, 19 insertions, 2 deletions
diff --git a/qutebrowser/browser/qutescheme.py b/qutebrowser/browser/qutescheme.py index 8866f1643..9bcd2e363 100644 --- a/qutebrowser/browser/qutescheme.py +++ b/qutebrowser/browser/qutescheme.py @@ -24,6 +24,7 @@ Module attributes: _HANDLERS: The handlers registered via decorators. """ +import html import json import os import time @@ -241,8 +242,9 @@ def history_data(start_time, offset=None): end_time = start_time - 24*60*60 entries = hist.entries_between(end_time, start_time) - return [{"url": e.url, "title": e.title or e.url, "time": e.atime} - for e in entries] + return [{"url": html.escape(e.url), + "title": html.escape(e.title) or html.escape(e.url), + "time": e.atime} for e in entries] @add_handler('history') diff --git a/tests/end2end/data/issue4011.html b/tests/end2end/data/issue4011.html new file mode 100644 index 000000000..488193736 --- /dev/null +++ b/tests/end2end/data/issue4011.html @@ -0,0 +1,10 @@ +<!DOCTYPE html> +<html> + <head> + <meta charset="utf-8"> + <title><img src="x" onerror="console.log('XSS')">foo</title> + </head> + <body> + foo + </body> +</html> diff --git a/tests/end2end/features/history.feature b/tests/end2end/features/history.feature index 9863d2c7f..10658cb31 100644 --- a/tests/end2end/features/history.feature +++ b/tests/end2end/features/history.feature @@ -111,3 +111,8 @@ Feature: Page history And I wait until qute://history is loaded Then the page should contain the plaintext "3.txt" Then the page should contain the plaintext "4.txt" + + Scenario: XSS in :history + When I open data/issue4011.html + And I open qute://history + Then the javascript message "XSS" should not be logged |