[epiphany/mcatanzaro/#1612: 1/11] Add secure output encoding functions
- From: Michael Catanzaro <mcatanzaro src gnome org>
- To: commits-list gnome org
- Cc:
- Subject: [epiphany/mcatanzaro/#1612: 1/11] Add secure output encoding functions
- Date: Wed, 15 Dec 2021 15:27:02 +0000 (UTC)
commit 8b1c36099375786e92db25c7496c2eb8d264d15c
Author: Michael Catanzaro <mcatanzaro redhat com>
Date: Tue Dec 14 16:41:00 2021 -0600
Add secure output encoding functions
If we fail to use these when required, malicious web content could XSS
Epiphany's internal pages.
(As you might guess, the fact that these functions don't exist already
indicates that is currently possible in various places.)
lib/ephy-output-encoding.c | 74 ++++++++++++++++++++++++++++++++++++++++++++++
lib/ephy-output-encoding.h | 38 ++++++++++++++++++++++++
lib/meson.build | 1 +
3 files changed, 113 insertions(+)
---
diff --git a/lib/ephy-output-encoding.c b/lib/ephy-output-encoding.c
new file mode 100644
index 000000000..7256059ed
--- /dev/null
+++ b/lib/ephy-output-encoding.c
@@ -0,0 +1,74 @@
+/* -*- Mode: C; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/*
+ * Copyright © Red Hat Inc.
+ *
+ * This file is part of Epiphany.
+ *
+ * Epiphany is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * Epiphany is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with Epiphany. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "config.h"
+#include "ephy-output-encoding.h"
+
+#include <glib.h>
+
+char *
+ephy_encode_for_html_entity (const char *input)
+{
+ GString *str = g_string_new (input);
+
+ g_string_replace (str, "&", "&", 0);
+ g_string_replace (str, "<", "<", 0);
+ g_string_replace (str, ">", ">", 0);
+ g_string_replace (str, "\"", """, 0);
+ g_string_replace (str, "'", "'", 0);
+ g_string_replace (str, "/", "/", 0);
+
+ return g_string_free (str, FALSE);
+}
+
+static char *
+encode_all_except_alnum (const char *input,
+ const char *format)
+{
+ GString *str;
+ const char *c = input;
+
+ if (!g_utf8_validate (input, -1, NULL))
+ return g_strdup ("");
+
+ str = g_string_new (NULL);
+ do {
+ gunichar u = g_utf8_get_char (c);
+ if (g_unichar_isalnum (u))
+ g_string_append_unichar (str, u);
+ else
+ g_string_append_printf (str, format, u);
+ c = g_utf8_next_char (c);
+ } while (*c);
+
+ return g_string_free (str, FALSE);
+}
+
+char *
+ephy_encode_for_html_attribute (const char *input)
+{
+ return encode_all_except_alnum (input, "&#x%02x;");
+}
+
+char *
+ephy_encode_for_javascript (const char *input)
+{
+ return encode_all_except_alnum (input, "\\u%04u;");
+}
diff --git a/lib/ephy-output-encoding.h b/lib/ephy-output-encoding.h
new file mode 100644
index 000000000..7ff6a33bd
--- /dev/null
+++ b/lib/ephy-output-encoding.h
@@ -0,0 +1,38 @@
+/* -*- Mode: C; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/*
+ * Copyright © 2021 Red Hat Inc.
+ *
+ * This file is part of Epiphany.
+ *
+ * Epiphany is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * Epiphany is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with Epiphany. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#pragma once
+
+#include <glib.h>
+
+G_BEGIN_DECLS
+
+/* These functions implement the OWASP XSS prevention output encoding rules:
+ *
https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html#output-encoding-rules-summary
+ *
+ * You must *carefully* read that document to safely inject untrusted data into
+ * web content. Here be dragons.
+ */
+
+char *ephy_encode_for_html_entity (const char *input);
+char *ephy_encode_for_html_attribute (const char *input);
+char *ephy_encode_for_javascript (const char *input);
+
+G_END_DECLS
diff --git a/lib/meson.build b/lib/meson.build
index 894589a1a..264f9c5fb 100644
--- a/lib/meson.build
+++ b/lib/meson.build
@@ -20,6 +20,7 @@ libephymisc_sources = [
'ephy-langs.c',
'ephy-notification.c',
'ephy-notification-container.c',
+ 'ephy-output-encoding.c',
'ephy-permissions-manager.c',
'ephy-profile-utils.c',
'ephy-search-engine-manager.c',
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]