Fix XSS issue on qute://history

Fixes #4011
2018-06-21 21:20:19 +02:00 · 2018-06-21 21:20:19 +02:00 · 5a7869f2fe
commit 5a7869f2fe
parent 62d8b5b574
3 changed files with 19 additions and 2 deletions
--- a/qutebrowser/browser/qutescheme.py
+++ b/qutebrowser/browser/qutescheme.py
@ -24,6 +24,7 @@ Module attributes:
    _HANDLERS: The handlers registered via decorators.
 """

+import html
 import json
 import os
 import time
@ -241,8 +242,9 @@ def history_data(start_time, offset=None):
        end_time = start_time - 24*60*60
        entries = hist.entries_between(end_time, start_time)

-    return [{"url": e.url, "title": e.title or e.url, "time": e.atime}
-            for e in entries]
+    return [{"url": html.escape(e.url),
+             "title": html.escape(e.title) or html.escape(e.url),
+             "time": e.atime} for e in entries]


@add_handler('history')
--- a/tests/end2end/data/issue4011.html
+++ b/tests/end2end/data/issue4011.html
@ -0,0 +1,10 @@
+<!DOCTYPE html>
+<html>
+    <head>
+        <meta charset="utf-8">
+        <title>&lt;img src=&quot;x&quot; onerror=&quot;console.log('XSS')&quot;&gt;foo</title>
+    </head>
+    <body>
+        foo
+    </body>
+</html>
--- a/tests/end2end/features/history.feature
+++ b/tests/end2end/features/history.feature
@ -112,3 +112,8 @@ Feature: Page history
        And I wait until qute://history is loaded
        Then the page should contain the plaintext "3.txt"
        Then the page should contain the plaintext "4.txt"
+
+    Scenario: XSS in :history
+        When I open data/issue4011.html
+        And I open qute://history
+        Then the javascript message "XSS" should not be logged