From 6ccaf19045d049ea8a9ef9dec3a2f49959e88b56 Mon Sep 17 00:00:00 2001
From: papereth <69432409+papereth@users.noreply.github.com>
Date: Sat, 15 Aug 2020 15:19:47 +0100
Subject: [PATCH] Fixed `thread.html` template (#380)
* Update functions.php
` $_SERVER['REMOTE_ADDR']` was hardcoded in ban lookup instead of `$ip` variable
* Fix information leak in thread.html
Sensitive information can be leaked due to inadequate/absent escaping.
Line 14 is truncating before removing tags, this can cause some tags to be cut and therefore not be removed by the `remove_` functions.
Line 22 is just leaking it all, not removing anything.
* Fixed thread template
`remove_markup` is not available on vichan, arguably it makes things better but it's out of scope for this CHANGE, removing modifiers is enough to stop the info leak
consider adding it again after pulling:
fallenPineapple@a5b3336
also moving truncation before escaping for extra safety
---
templates/thread.html | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/templates/thread.html b/templates/thread.html
index 02735c19..587ae038 100644
--- a/templates/thread.html
+++ b/templates/thread.html
@@ -11,7 +11,7 @@
{% include 'header.html' %}
- {% set meta_subject %}{% if config.thread_subject_in_title and thread.subject %}{{ thread.subject|e }}{% else %}{{ thread.body_nomarkup|remove_modifiers|remove_markup|e[:256] }}{% endif %}{% endset %}
+ {% set meta_subject %}{% if config.thread_subject_in_title and thread.subject %}{{ thread.subject|e }}{% else %}{{ thread.body_nomarkup|remove_modifiers[:256]|e }}{% endif %}{% endset %}
@@ -19,7 +19,7 @@
{% if thread.files.0.thumb %}{% endif %}
-
+
{{ board.url }} - {{ meta_subject }}