[Bug] Modpack descriptions not escaped in `og:description` meta
Closed this issue · 0 comments
Problem
Modpack descriptions that contain quotes (or just links, which have quotes added automatically somehow) can terminate the og:description tag prematurely and inject markup into the page:
https://spacedock.info/pack/397/Cuinq
SpaceDock/templates/mod_list.html
Line 9 in 70b1583
We're using bleach there, which should at least block potentially harmful scripts.
Suggestions
The description needs to be rendered to fit in an HTML attribute (quotes replaced with something else).
We might be able to do that by adding | escape?
https://bleach.readthedocs.io/en/latest/clean.html
If you need to use the output of bleach.clean() in an HTML attribute, you need to pass it through your template library’s escape function. For example, Jinja2’s escape or django.utils.html.escape or something like that.
https://jinja.palletsprojects.com/en/3.0.x/templates/#jinja-filters.escape
We should consider adding this to most of the other tags added in #385, just in case. I haven't found other problems yet, but trusting user-edited data is risky.