| 1426 | You may want to try performing some XSS attacks by including malicious HTML markup in comments. Try some of the methods shown on the [http://ha.ckers.org/xss.html XSS Cheat Sheet]. You should not be able to get past the sanitizer; if you are, please [/newticket let us now]. |
| 1427 | |
| 1428 | Speaking of the Atom feed, let's update the corresponding template so that it, too, includes the user-submitted HTML tags as markup, instead of as escaped text. Open `geddit/templates/info.xml`, and update it to look as follows: |
| 1429 | |
| 1430 | {{{ |
| 1431 | #!genshi |
| 1432 | <?xml version="1.0" encoding="utf-8"?> |
| 1433 | <feed xmlns="http://www.w3.org/2005/Atom" |
| 1434 | xmlns:py="http://genshi.edgewall.org/"> |
| 1435 | |
| 1436 | <title>Geddit: ${link.title}</title> |
| 1437 | <id href="${url('/info/%s/' % link.id)}"/> |
| 1438 | <link rel="alternate" href="${url('/info/%s/' % link.id)}" type="text/html"/> |
| 1439 | <link rel="self" href="${url('/feed/%s/' % link.id)}" type="application/atom+xml"/> |
| 1440 | <updated py:with="time=link.comments and link.comments[-1].time or link.time"> |
| 1441 | ${time.isoformat()} |
| 1442 | </updated> |
| 1443 | |
| 1444 | <?python from genshi import HTML ?> |
| 1445 | <entry py:for="idx, comment in enumerate(reversed(link.comments))"> |
| 1446 | <title>Comment ${len(link.comments) - idx} on “${link.title}”</title> |
| 1447 | <link rel="alternate" href="${url('/info/%s/' % link.id)}#comment${idx}" |
| 1448 | type="text/html"/> |
| 1449 | <id>${url('/info/%s/' % link.id)}#comment${idx}</id> |
| 1450 | <author> |
| 1451 | <name>${comment.username}</name> |
| 1452 | </author> |
| 1453 | <updated>${comment.time.isoformat()}</updated> |
| 1454 | <content type="xhtml"><div xmlns="http://www.w3.org/1999/xhtml"> |
| 1455 | ${HTML(comment.content)} |
| 1456 | </div></content> |
| 1457 | </entry> |
| 1458 | |
| 1459 | </feed> |
| 1460 | }}} |
| 1461 | |
| 1462 | As above, we've added the import of the Genshi `HTML()` function. On the `<content>` element we've added the `type="xhtml"` attribute, and we've added a wrapper `<div>` inside it to declare the XHTML namespace. Finally, inside that `<div>`, we inject the comment text as an HTML-parsed stream, analogous to what we've done in the HTML template. |