Width and alignment of RST images #114
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
@mila can you rebase this? |
RST renders images with class="align-..." attributes. With this commit, the aligment won't stripped during bleach cleanup. Because class is already allowed on other elements (span, code, hr), this should not introduce any new possibilities for bad guys.
RST creates image tags with style="width: ...; height=...;" attributes. This commit stops bleach from stripping it. Width and height attributes are already whitelisted, so this should not allow anything new.
Rebased. |
theacodes
approved these changes
Jul 31, 2018
|
"CSS injection: what's the worst that can happen?" https://stackoverflow.com/questions/718611/css-injection-whats-the-worst-that-can-happen
https://bleach.readthedocs.io/en/latest/clean.html#allowed-styles-styles ALLOWED_STYLES = [
"width", "height",
]Does this set |
|
@dstufft Would having a separate domain for admin / logged-in actions like admin.pypi.org minimize the risk of things such as XSS in rendered long_descriptions? |
|
Here's the only rst_escape() function I'm aware of; it has zero tests: Where is the new markdown long_description support in the codebase? Things like |
To my best knowledge, that's not possible using
In
That's used when sanitizing both markdown and rst. |
|
Thanks.
While I think bleach is a good package, and I'd add tests to bleach if I
was aware of any untested XSS issues, I still think it best to run
user-supplied markup on a different domain; similar to how GitHub.io and
ReadTheDocs.io work; though a subdomain such as admin/edit.pypi.org instead
of a totally different TLD may actually be fine?
“Stop using .IO Domain Names for Production Traffic” @nickparsons
https://hackernoon.com/stop-using-io-domain-names-for-production-traffic-b6aa17eeac20
…On Sunday, September 16, 2018, Miloslav Pojman ***@***.***> wrote:
Injection of arbitrary CSS can lead to javascript execution.
To my best knowledge, that's not possible using width or height
attributes.
Where is the new markdown long_description support in the codebase?
In readme_renderer/markdown.py. It calls the same clean function to
sanitize HTML as rst does.
It's possible to generate HTML in markdown which cannot be generated from
rst.
Does this set bleach.sanitizer.ALLOWED_STYLES somewhere else or just the
global constant ALLOWED_STYLES?
That's used when sanitizing both markdown and rst.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#114 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AADGy5BQ0l_N5jKIC-jZguIyckTK_aRmks5ubiY_gaJpZM4VlEDd>
.
|
|
I don't think that GitHub puts user supplied markup on a different domain.. they are putting it on all of these issues, README files, etc. They moved raw files to another domain, which PyPI already does. |
|
AFAIU, user-supplied JS (which may be present in HTML renders of
lightweight markup languages, static HTML, Jupyter notebooks,) is on a
separate domain in order to limit the impact of potential XSS vulns.
…On Monday, September 17, 2018, Donald Stufft ***@***.***> wrote:
I don't think that GitHub puts user supplied markup on a different
domain.. they are putting it on all of these issues, README files, etc.
They moved raw files to another domain, which PyPI already does.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#114 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AADGy86jO2ZieRhJztIIiGUPV1o0gVSLks5ucAxqgaJpZM4VlEDd>
.
|
dstufft
reviewed
Sep 18, 2018
| @@ -0,0 +1 @@ | |||
| <img src="https://example.com/badge.png" style="width: 20px; height: 20px;"> | |||
There was a problem hiding this comment.
Sorry I hadn't looked at the code changes before, this isn't going to work on PyPI, we don't allow inline styles via CSP, so anything that relies on the style attribute is not going to work, and I would be a hard -1 on relaxing our CSP rules to allow it.
|
For future reference, this was reverted in #121. |
miketheman
added a commit
to miketheman/readme_renderer
that referenced
this pull request
Mar 9, 2022
Surfaced via `mypy`, recommended adding a type to the empty list. The list was originally empty back in 0.1.0. Instead of adding a type, remove the constant, and the code that uses it from `clean()` - as it was partially reverted in pypa#121. The default `ALLOWED_STYLES` in the underlying library is `[]`. Related: pypa#114 (comment) Signed-off-by: Mike Fiedler <miketheman@gmail.com>
di
pushed a commit
that referenced
this pull request
Mar 11, 2022
* chore: add mypy testing Scaffolding in the testing, and will not complete succssfully yet. Will be followed by code changes to pass. Signed-off-by: Mike Fiedler <miketheman@gmail.com> * lint: ignore empty dict Surfaced via `mypy`, in that an empty dict could not infer what types could be there. Instead of importing `typing` and annotating the empty Dict, I opted to ignore the line, as we do not expect to populate the dict at all, and are using it to **prevent** additions to the value. Signed-off-by: Mike Fiedler <miketheman@gmail.com> * chore: remove unused styles parameter Surfaced via `mypy`, recommended adding a type to the empty list. The list was originally empty back in 0.1.0. Instead of adding a type, remove the constant, and the code that uses it from `clean()` - as it was partially reverted in #121. The default `ALLOWED_STYLES` in the underlying library is `[]`. Related: #114 (comment) Signed-off-by: Mike Fiedler <miketheman@gmail.com> * fix: correct import for unescape Surfaced via `mypy`, in that the `html.parser` module does not have a direct implementation of `unescape`. Refs: https://docs.python.org/3.6/library/html.html#html.unescape In #192 support for Python 2.7 was removed, the import path changed. This works due to imports placing the imported code in the local scope. If the `html.parser` module ever stopped importing `unescape`, this import would break as a result. Signed-off-by: Mike Fiedler <miketheman@gmail.com> * chore: update pytest markers cli flag Currently emits a warning: PytestRemovedIn8Warning: The --strict option is deprecated, use --strict-markers instead. Signed-off-by: Mike Fiedler <miketheman@gmail.com> * chore(types): add types to clean module Surfaced by running mypy in strict mode, and added types where relevant. Signed-off-by: Mike Fiedler <miketheman@gmail.com> * chore(types): add types to txt module Signed-off-by: Mike Fiedler <miketheman@gmail.com> * chore(types): add types to markdown module Signed-off-by: Mike Fiedler <miketheman@gmail.com> * chore: add types to rst module The types-docutils hints are still incomplete, good progress is being made. See: python/typeshed#7256 I've had to use an ignore on the class inheritance, and a couple of `typing.Any` annotations until that package implements more type hints. Signed-off-by: Mike Fiedler <miketheman@gmail.com> * chore: ignore distutils module from types `mypy` strict mode is having a hard time with the `distutils` imports, since they are wrapped in `setuptools` right now as a private package. This pacakge's distutils integration will need to be reworked anyhow. Left a comment with details at the top of the file. Signed-off-by: Mike Fiedler <miketheman@gmail.com> * test: use strict mode for mypy Prevent new things from creeping in during development. Signed-off-by: Mike Fiedler <miketheman@gmail.com> * chore: tell the world we've got types Include a blank `py.typed` file in the package to inform `mypy` that there's types to be found in this package. Signed-off-by: Mike Fiedler <miketheman@gmail.com> * chore: move strict flag to config Allows other tools to ebenfit from a consistent configuration. Signed-off-by: Mike Fiedler <miketheman@gmail.com> * refactor: change imports to be consistent with others Signed-off-by: Mike Fiedler <miketheman@gmail.com> * docs: add inline details for specific ignores Signed-off-by: Mike Fiedler <miketheman@gmail.com> * lint: apply more specific type Signed-off-by: Mike Fiedler <miketheman@gmail.com> * docs: add comment to why source is Any Signed-off-by: Mike Fiedler <miketheman@gmail.com> * lint: replace typing imports with relative ones Signed-off-by: Mike Fiedler <miketheman@gmail.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
RST renders images with
class="align-..." style="width: ...; height: ...". This pull request stops bleach from removing image styling.Allowing
classandstyleattributes can be controversial, but this PR does not introduce anything new -widthandheightattributes are already allowed (and other styles won't be allowed), andclasscan be already assigned tospanand other elements.This should follows PR #113 (merge it first for a smaller diff) and fixes issue #112.
Overall goal is to fix pypi/warehouse#4023.