summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorFlorian Bruhin <git@the-compiler.org>2018-06-21 21:20:19 +0200
committerFlorian Bruhin <git@the-compiler.org>2018-06-21 21:43:53 +0200
commit4c9360237f186681b1e3f2a0f30c45161cf405c7 (patch)
tree871558da1c2473f55870079f093e7b701e6b021a
parent10538738e0203a35b312be3d5331a77013bbc090 (diff)
downloadqutebrowser-4c9360237f186681b1e3f2a0f30c45161cf405c7.tar.gz
qutebrowser-4c9360237f186681b1e3f2a0f30c45161cf405c7.zip
Fix XSS issue on qute://history
Fixes #4011 (cherry picked from commit 5a7869f2feaa346853d2a85413d6527c87ef0d9f)
Diffstat
-rw-r--r--qutebrowser/browser/qutescheme.py6
-rw-r--r--tests/end2end/data/issue4011.html10
-rw-r--r--tests/end2end/features/history.feature5
3 files changed, 19 insertions, 2 deletions
diff --git a/qutebrowser/browser/qutescheme.py b/qutebrowser/browser/qutescheme.py
index 8866f1643..9bcd2e363 100644
--- a/qutebrowser/browser/qutescheme.py
+++ b/qutebrowser/browser/qutescheme.py
@@ -24,6 +24,7 @@ Module attributes:
_HANDLERS: The handlers registered via decorators.
"""
+import html
import json
import os
import time
@@ -241,8 +242,9 @@ def history_data(start_time, offset=None):
end_time = start_time - 24*60*60
entries = hist.entries_between(end_time, start_time)
- return [{"url": e.url, "title": e.title or e.url, "time": e.atime}
- for e in entries]
+ return [{"url": html.escape(e.url),
+ "title": html.escape(e.title) or html.escape(e.url),
+ "time": e.atime} for e in entries]
@add_handler('history')
diff --git a/tests/end2end/data/issue4011.html b/tests/end2end/data/issue4011.html
new file mode 100644
index 000000000..488193736
--- /dev/null
+++ b/tests/end2end/data/issue4011.html
@@ -0,0 +1,10 @@
+<!DOCTYPE html>
+<html>
+ <head>
+ <meta charset="utf-8">
+ <title>&lt;img src=&quot;x&quot; onerror=&quot;console.log('XSS')&quot;&gt;foo</title>
+ </head>
+ <body>
+ foo
+ </body>
+</html>
diff --git a/tests/end2end/features/history.feature b/tests/end2end/features/history.feature
index 9863d2c7f..10658cb31 100644
--- a/tests/end2end/features/history.feature
+++ b/tests/end2end/features/history.feature
@@ -111,3 +111,8 @@ Feature: Page history
And I wait until qute://history is loaded
Then the page should contain the plaintext "3.txt"
Then the page should contain the plaintext "4.txt"
+
+ Scenario: XSS in :history
+ When I open data/issue4011.html
+ And I open qute://history
+ Then the javascript message "XSS" should not be logged
7apu2bq3rhoylwmucxizk54afw5jyda7pho4j5zdcqpwkufke7zdzwad.onion