[sword-devel] RTFHTML filter not escaping HTML entities

Sun Dec 30 14:30:00 MST 2018

One potential risk would be from modules manually installed after being downloaded from somewhere we have no connection with.

For the repositories in our MRL, the risk should be much lower, providing the release procedure includes adequate human inspection of the .conf file.

David

Sent from ProtonMail Mobile

On Sun, Dec 30, 2018 at 21:20, DM Smith <dmsmith at crosswire.org> wrote:

> What is the likelihood/risk of an untrustworthy conf?
>
> — DM Smith
> From my phone. Brief. Weird autocorrections.
>
> On Dec 30, 2018, at 4:14 PM, Jaak Ristioja <jaak at ristioja.ee> wrote:
>
>>> It looks like BibleTime, too, is guilty of not properly escaping those.
>>
>> Actually it seems that the RTFHTML filter in Sword (and Sword++ for that
>> matter) does not properly escape HTML entities included in the RTF. So
>> if the RTF includes <b> or any other HTML tags, these are passed on
>> unmodified, wherease they should instead be escaped using &lt;, &gt; and
>> similar entities. This could allow arbitrary HTML injection from the RTF.
>>
>> J
>>
>>
>>
>>> On 30.12.18 23:03, Jaak Ristioja wrote:
>>> Btw, grepping my ~/.sword/mods.d/*.conf shows that <a> tags are used
>>> elsewhere as well, e.g. in About= and DistributionNotes=. There are even
>>> some <b>, <i> and <u> tags in About= and History_x.x= entries.
>>>
>>> It looks like BibleTime, too, is guilty of not properly escaping those.
>>>
>>> J
>>>
>>>> On 30.12.18 10:32, David Haslam wrote:
>>>> Wouldn’t the points about HTML apply just as equally to the existing ShortPromo key ?
>>>>
>>>> Some front-ends already jump to the URL specified in the href, and can open a browser to do so.
>>>>
>>>> David
>>>>
>>>> Sent from ProtonMail Mobile
>>>>
>>>>> On Sun, Dec 30, 2018 at 00:39, Jaak Ristioja <jaak at ristioja.ee> wrote:
>>>>>
>>>>> I like the idea, because it is useful information for the users. Here
>>>>> are some of the thoughts I gathered for this:
>>>>>
>>>>> <brainstorm xmlns="https://en.wikipedia.org/wiki/Brainstorming">
>>>>>
>>>>> Why can't the About= entry contain this information?
>>>>>
>>>>> I'm unsure whether "UnlockInfo" is the best name.
>>>>>
>>>>> Is it safe to assume that this entry will only be relevant for modules
>>>>> with a CipherKey= entry?
>>>>>
>>>>> Using HTML might be a can of worms:
>>>>> * What version of HTML is permitted?
>>>>> * How do we ensure future-compatibility?
>>>>> * If the contents for the UnlockInfo field are to contain a segment of
>>>>> HTML (and not a whole HTML document), what is the content model?
>>>>> * For example, would it be safe to embed the contents of the
>>>>> UnlockInfo field directly inside a <td> element or should it be a <p>?
>>>>> * Can UnlockInfo= contain
>>>>> <img>/<audio>/<video>/<object>/<embed>/<script> etc elements?
>>>>> * How about attributes, e.g. <strong
>>>>> style='background:url("http://track.me/I_consent")'> or <span
>>>>> onClick="doBadStuff()">?
>>>>>
>>>>> Modules can originate from untrusted sources. I think it might be a bit
>>>>> too much to assume that all frontends can properly sanitize the HTML
>>>>> value, unless we only allow a very restricted subset of the HTML syntax,
>>>>> e.g. only plain text, HTML entities and <a> elements only one allowed
>>>>> and mandatory href attribute. Note that <b> and <i> etc are discouraged
>>>>> in HTML5, <u> was completely redefined. Will <a> ("anchor") still be
>>>>> valid in HTML6 or will <link> be repurposed for hyperlinks as well?
>>>>>
>>>>> Hence I suggest to use a simple URL (or URI, RFC 3986) instead of HTML.
>>>>> Simple documents (including HTML pages, PDF or any other types of files)
>>>>> could be embedded using the data: URI scheme (RFC 2397). Frontends could
>>>>> pass the URI to the OS/desktop/browser to be opened or attempt to
>>>>> display the information inline (e.g. show a web view widget for
>>>>> HTTP/HTTPS URIs or similar). Optionally, frontends can display a
>>>>> warning/confirmation dialog to the user before opening the URI.
>>>>>
>>>>> Perhaps it would be wiser to have two fields: one for the URI and
>>>>> another for plain text? I currently have no suggestions for the exact
>>>>> semantics of naming of such entries, but both of these could be
>>>>> displayed by frontends. The plain text could be a description of the
>>>>> URI, or contain full information about obtaining the key. One or both of
>>>>> the entries could be optional. Frontends could opt to detect URLs in the
>>>>> plain text as well and render these as hyperlinks.
>>>>>
>>>>> Or perhaps we should use a subset of markdown or similar instead?
>>>>> However, other markup languages could suffer from problems similar to HTML.
>>>>>
>>>>> </brainstorm>
>>>>>
>>>>> J
>>>>>
>>>>>> On 30.12.18 00:02, Troy A. Griffitts wrote:
>>>>>> Dear Frontend Developers,
>>>>>>
>>>>>> In an effort to gain more publishers-- even those who desire to lock and
>>>>>> sell some of their modules, I would like to add a new .conf entry:
>>>>>>
>>>>>> UnlockInfo
>>>>>>
>>>>>> Up until now, we've relied on the About entry containing something that
>>>>>> lets the user know how to obtain unlock codes from publishers selling
>>>>>> codes to unlock their modules. This entry would isolate just those
>>>>>> instructions to a specific entry and would allow a frontend to do
>>>>>> something like:
>>>>>>
>>>>>> If (moduleToInstall.getConfEntry("UnlockInfo")) {
>>>>>>
>>>>>> showDialog("<p>The publisher of this modules requires for you to
>>>>>> obtain an unlock code. This code can be entered below, instructions
>>>>>> from the publisher are as follows:</p>" +
>>>>>> moduleToInstall.getConfEntry("UnlockInfo"));
>>>>>>
>>>>>> }
>>>>>>
>>>>>> Like many of our entries, this new UnlockInfo entry will allow HTML
>>>>>> links and will likely contain a direct link from the publisher to their
>>>>>> store entry to purchase an unlock code.
>>>>>>
>>>>>> An example would be something like:
>>>>>>
>>>>>> UnlockInfo=An unlock code for the Larry Fitzgerald NFL HOF Edition of
>>>>>> the New Testament, with memorable career moments encouraging the
>>>>>> believer to press on when those around fall short, may be obtained
>>>>>> directly from the NFL store here: <a target="_blank"
>>>>>> href="https://nfl.com/shop/lf-nfl-hof-nt-sword-module">Larry Fitzgerald
>>>>>> NFL HOF Edition of the New Testament - SWORD Module</a>
>>>>>>
>>>>>> Let me know if you have any comments or ideas,
>>>>>>
>>>>>> Troy
>>>>>>
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> sword-devel mailing list: sword-devel at crosswire.org
>>>>>> http://www.crosswire.org/mailman/listinfo/sword-devel
>>>>>> Instructions to unsubscribe/change your settings at above page
>>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> sword-devel mailing list: sword-devel at crosswire.org
>>>>> http://www.crosswire.org/mailman/listinfo/sword-devel
>>>>> Instructions to unsubscribe/change your settings at above page
>>>>>
>>>>> _______________________________________________
>>>>> sword-devel mailing list: sword-devel at crosswire.org
>>>>> http://www.crosswire.org/mailman/listinfo/sword-devel
>>>>> Instructions to unsubscribe/change your settings at above page
>>>
>>>
>>> _______________________________________________
>>> sword-devel mailing list: sword-devel at crosswire.org
>>> http://www.crosswire.org/mailman/listinfo/sword-devel
>>> Instructions to unsubscribe/change your settings at above page
>>>
>>
>>
>> _______________________________________________
>> sword-devel mailing list: sword-devel at crosswire.org
>> http://www.crosswire.org/mailman/listinfo/sword-devel
>> Instructions to unsubscribe/change your settings at above page
>
> _______________________________________________
> sword-devel mailing list: sword-devel at crosswire.org
> http://www.crosswire.org/mailman/listinfo/sword-devel
> Instructions to unsubscribe/change your settings at above page
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.crosswire.org/pipermail/sword-devel/attachments/20181230/5bd82095/attachment.html>