MobileRead Forums - View Single Post

eureka · 02-04-2012, 09:03 AM

@ixtab, please, don't include Pillow and WAF resources to your [automatically built] snapshots yet!!

(However, localization bundles built for testing purposes with manual checking of translated Pillow/WAF resources before building are OK.)

Pillow and WAF strings are used in HTML. They are possible source of XSS and I've overlooked this fact. I must implement some solution to filter these strings and leave only allowed HTML tags (so far, I've found two such tags in original JS files: <br> and <p>).

Also I've missed WAF's browser/readability/messages.js in extraction process. There is <a> tag in this file with embedded JavaScript as onClick handler. This embedded JavaScript probably should go into metadata...

02-04-2012, 09:03 AM	#255
eureka but forgot what it's like Posts: 741 Karma: 2345678 Join Date: Dec 2011 Location: north (by northwest) Device: Kindle Touch	@ixtab, please, don't include Pillow and WAF resources to your [automatically built] snapshots yet!! (However, localization bundles built for testing purposes with manual checking of translated Pillow/WAF resources before building are OK.) Pillow and WAF strings are used in HTML. They are possible source of XSS and I've overlooked this fact. I must implement some solution to filter these strings and leave only allowed HTML tags (so far, I've found two such tags in original JS files: <br> and <p>). Also I've missed WAF's browser/readability/messages.js in extraction process. There is <a> tag in this file with embedded JavaScript as onClick handler. This embedded JavaScript probably should go into metadata...