'D10188: Sanitise notification HTML'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kde-panel-devel
Subject:    D10188: Sanitise notification HTML
From:       Jason A. Donenfeld <noreply () phabricator ! kde ! org>
Date:       2018-02-04 23:42:39
Message-ID: 20180204234239.1.7F88CDDA0CE34F2E () phabricator ! kde ! org
[Download RAW message or body]

zx2c4 added a comment.


  In https://phabricator.kde.org/D10188#201097, @davidedmundson wrote:
  
  > That would break very core functionality of existing clients and goes against the \
notification spec.  
  
  Then the spec itself is vulnerable and needs to change.
  
  Switch people to data: URIs, or come up with some other kind of mechanism. Allowing \
remote users to load and render local paths is not okay. Full stop.

REPOSITORY
  R120 Plasma Workspace

REVISION DETAIL
  https://phabricator.kde.org/D10188

To: davidedmundson, #plasma, fvogt
Cc: zx2c4, broulik, aacid, fvogt, plasma-devel, ZrenBot, progwolff, lesliezhai, \
ali-mohamed, jensreuterberg, abetts, sebas, apol, mart


[Attachment #3 (unknown)]

<table><tr><td style="">zx2c4 added a comment.
</td><a style="text-decoration: none; padding: 4px 8px; margin: 0 8px 8px; float: \
right; color: #464C5C; font-weight: bold; border-radius: 3px; background-color: \
#F7F7F9; background-image: linear-gradient(to bottom,#fff,#f1f0f1); display: \
inline-block; border: 1px solid rgba(71,87,120,.2);" \
href="https://phabricator.kde.org/D10188" rel="noreferrer">View \
Revision</a></tr></table><br /><div><div><blockquote style="border-left: 3px solid \
#8C98B8;  color: #6B748C;
          font-style: italic;
          margin: 4px 0 12px 0;
          padding: 8px 12px;
          background-color: #F8F9FC;">
<div style="font-style: normal;
          padding-bottom: 4px;">In <a \
href="https://phabricator.kde.org/D10188#201097" style="background-color: #e7e7e7;  \
border-color: #e7e7e7;  border-radius: 3px;
          padding: 0 4px;
          font-weight: bold;
          color: black;text-decoration: line-through;" \
rel="noreferrer">D10188#201097</a>, <a \
href="https://phabricator.kde.org/p/davidedmundson/" style="  border-color: #f1f7ff;
              color: #19558d;
              background-color: #f1f7ff;
                border: 1px solid transparent;
                border-radius: 3px;
                font-weight: bold;
                padding: 0 4px;" rel="noreferrer">@davidedmundson</a> wrote:</div>
<div style="margin: 0;
          padding: 0;
          border: 0;
          color: rgb(107, 116, 140);"><p>That would break very core functionality of \
existing clients and goes against the notification spec.</p></div> </blockquote>

<p>Then the spec itself is vulnerable and needs to change.</p>

<p>Switch people to data: URIs, or come up with some other kind of mechanism. \
Allowing remote users to load and render local paths is not okay. Full \
stop.</p></div></div><br /><div><strong>REPOSITORY</strong><div><div>R120 Plasma \
Workspace</div></div></div><br /><div><strong>REVISION DETAIL</strong><div><a \
href="https://phabricator.kde.org/D10188" \
rel="noreferrer">https://phabricator.kde.org/D10188</a></div></div><br \
/><div><strong>To: </strong>davidedmundson, Plasma, fvogt<br /><strong>Cc: \
</strong>zx2c4, broulik, aacid, fvogt, plasma-devel, ZrenBot, progwolff, lesliezhai, \
ali-mohamed, jensreuterberg, abetts, sebas, apol, mart<br /></div>



[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic