<html><head></head><body>I would like to point out that modules downloaded from a source other than an endorsed repository could contain all kinds of stuff the user might not like. The entire module is suspect. The .conf file is the least of worries.<br><br>I am not concerned about escaping other markup. The official position is that we don't support any other markup beyond HTML <a href...> links. The behavior of including any other markup is undefined and bad practice. I am not concerned with preventing it. Practically though 90% of our frontends use HTML displays for most everything and thus other HTML tags will likely work.<br><br>I don't see the security issue. It's like opening a Word doc attached to an email from a stranger. You are not guaranteed it won't do something unkind. This is why we have endorsed SWORD repositories. To prevent all unkind things from ever happening would be like Word trying to prevent the same. It would occupy man years and never accomplish the goal.<br><br>Thoughts?<br><br>Troy<br><br><div class="gmail_quote">On December 30, 2018 2:57:48 PM MST, "refdoc@gmx.net" <refdoc@gmx.net> wrote:<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
I think, I must apologise here in that I do not check this particular matter at all in submitted modules. I will try and address this asap. <br><br>If anyone starts to create a tracker issue, I would be grateful for a single issue with a list of modules affected instead of one per module<br><br>Peter<br><br>Sent from my mobile. Please forgive shortness, typos and weird autocorrects.<div class="quote" style="line-height: 1.5"><br><br>-------- Original Message --------<br>Subject: Re: [sword-devel] RTFHTML filter not escaping HTML entities<br>From: David Haslam <dfhdfh@protonmail.com><br>To: SWORD Developers' Collaboration Forum <sword-devel@crosswire.org><br>CC: <br><br><br type="attribution"><blockquote class="quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> <div>One potential risk would be from modules manually installed after being downloaded from somewhere we have no connection with. </div><div><br></div><div>For the repositories in our MRL, the risk should be much lower, providing the release procedure includes adequate human inspection of the .conf file. </div><div><br></div><div>David</div><div><br></div><div id="protonmail_mobile_signature_block">Sent from ProtonMail Mobile</div> <div><br></div><div><br></div>On Sun, Dec 30, 2018 at 21:20, DM Smith <<a href="mailto:dmsmith@crosswire.org" class="">dmsmith@crosswire.org</a>> wrote:<blockquote class="protonmail_quote" type="cite"> What is the likelihood/risk of an untrustworthy conf?<br><br>— DM Smith<br>From my phone. Brief. Weird autocorrections.<br><br>On Dec 30, 2018, at 4:14 PM, Jaak Ristioja <jaak@ristioja.ee> wrote:<br><br>>> It looks like BibleTime, too, is guilty of not properly escaping those.<br>><br>> Actually it seems that the RTFHTML filter in Sword (and Sword++ for that<br>> matter) does not properly escape HTML entities included in the RTF. So<br>> if the RTF includes <b> or any other HTML tags, these are passed on<br>> unmodified, wherease they should instead be escaped using &lt;, &gt; and<br>> similar entities. This could allow arbitrary HTML injection from the RTF.<br>><br>> J<br>><br>><br>><br>>> On 30.12.18 23:03, Jaak Ristioja wrote:<br>>> Btw, grepping my ~/.sword/mods.d/*.conf shows that <a> tags are used<br>>> elsewhere as well, e.g. in About= and DistributionNotes=. There are even<br>>> some <b>, <i> and <u> tags in About= and History_x.x= entries.<br>>><br>>> It looks like BibleTime, too, is guilty of not properly escaping those.<br>>><br>>> J<br>>><br>>>> On 30.12.18 10:32, David Haslam wrote:<br>>>> Wouldn’t the points about HTML apply just as equally to the existing ShortPromo key ?<br>>>><br>>>> Some front-ends already jump to the URL specified in the href, and can open a browser to do so.<br>>>><br>>>> David<br>>>><br>>>> Sent from ProtonMail Mobile<br>>>><br>>>>> On Sun, Dec 30, 2018 at 00:39, Jaak Ristioja <jaak@ristioja.ee> wrote:<br>>>>><br>>>>> I like the idea, because it is useful information for the users. Here<br>>>>> are some of the thoughts I gathered for this:<br>>>>><br>>>>> <brainstorm xmlns="https://en.wikipedia.org/wiki/Brainstorming"><br>>>>><br>>>>> Why can't the About= entry contain this information?<br>>>>><br>>>>> I'm unsure whether "UnlockInfo" is the best name.<br>>>>><br>>>>> Is it safe to assume that this entry will only be relevant for modules<br>>>>> with a CipherKey= entry?<br>>>>><br>>>>> Using HTML might be a can of worms:<br>>>>> * What version of HTML is permitted?<br>>>>> * How do we ensure future-compatibility?<br>>>>> * If the contents for the UnlockInfo field are to contain a segment of<br>>>>> HTML (and not a whole HTML document), what is the content model?<br>>>>> * For example, would it be safe to embed the contents of the<br>>>>> UnlockInfo field directly inside a <td> element or should it be a <p>?<br>>>>> * Can UnlockInfo= contain<br>>>>> <img>/<audio>/<video>/<object>/<embed>/<script> etc elements?<br>>>>> * How about attributes, e.g. <strong<br>>>>> style='background:url("http://track.me/I_consent")'> or <span<br>>>>> onClick="doBadStuff()">?<br>>>>><br>>>>> Modules can originate from untrusted sources. I think it might be a bit<br>>>>> too much to assume that all frontends can properly sanitize the HTML<br>>>>> value, unless we only allow a very restricted subset of the HTML syntax,<br>>>>> e.g. only plain text, HTML entities and <a> elements only one allowed<br>>>>> and mandatory href attribute. Note that <b> and <i> etc are discouraged<br>>>>> in HTML5, <u> was completely redefined. Will <a> ("anchor") still be<br>>>>> valid in HTML6 or will <link> be repurposed for hyperlinks as well?<br>>>>><br>>>>> Hence I suggest to use a simple URL (or URI, RFC 3986) instead of HTML.<br>>>>> Simple documents (including HTML pages, PDF or any other types of files)<br>>>>> could be embedded using the data: URI scheme (RFC 2397). Frontends could<br>>>>> pass the URI to the OS/desktop/browser to be opened or attempt to<br>>>>> display the information inline (e.g. show a web view widget for<br>>>>> HTTP/HTTPS URIs or similar). Optionally, frontends can display a<br>>>>> warning/confirmation dialog to the user before opening the URI.<br>>>>><br>>>>> Perhaps it would be wiser to have two fields: one for the URI and<br>>>>> another for plain text? I currently have no suggestions for the exact<br>>>>> semantics of naming of such entries, but both of these could be<br>>>>> displayed by frontends. The plain text could be a description of the<br>>>>> URI, or contain full information about obtaining the key. One or both of<br>>>>> the entries could be optional. Frontends could opt to detect URLs in the<br>>>>> plain text as well and render these as hyperlinks.<br>>>>><br>>>>> Or perhaps we should use a subset of markdown or similar instead?<br>>>>> However, other markup languages could suffer from problems similar to HTML.<br>>>>><br>>>>> </brainstorm><br>>>>><br>>>>> J<br>>>>><br>>>>>> On 30.12.18 00:02, Troy A. Griffitts wrote:<br>>>>>> Dear Frontend Developers,<br>>>>>><br>>>>>> In an effort to gain more publishers-- even those who desire to lock and<br>>>>>> sell some of their modules, I would like to add a new .conf entry:<br>>>>>><br>>>>>> UnlockInfo<br>>>>>><br>>>>>> Up until now, we've relied on the About entry containing something that<br>>>>>> lets the user know how to obtain unlock codes from publishers selling<br>>>>>> codes to unlock their modules. This entry would isolate just those<br>>>>>> instructions to a specific entry and would allow a frontend to do<br>>>>>> something like:<br>>>>>><br>>>>>> If (moduleToInstall.getConfEntry("UnlockInfo")) {<br>>>>>><br>>>>>> showDialog("<p>The publisher of this modules requires for you to<br>>>>>> obtain an unlock code. This code can be entered below, instructions<br>>>>>> from the publisher are as follows:</p>" +<br>>>>>> moduleToInstall.getConfEntry("UnlockInfo"));<br>>>>>><br>>>>>> }<br>>>>>><br>>>>>> Like many of our entries, this new UnlockInfo entry will allow HTML<br>>>>>> links and will likely contain a direct link from the publisher to their<br>>>>>> store entry to purchase an unlock code.<br>>>>>><br>>>>>> An example would be something like:<br>>>>>><br>>>>>> UnlockInfo=An unlock code for the Larry Fitzgerald NFL HOF Edition of<br>>>>>> the New Testament, with memorable career moments encouraging the<br>>>>>> believer to press on when those around fall short, may be obtained<br>>>>>> directly from the NFL store here: <a target="_blank"<br>>>>>> href="https://nfl.com/shop/lf-nfl-hof-nt-sword-module">Larry Fitzgerald<br>>>>>> NFL HOF Edition of the New Testament - SWORD Module</a><br>>>>>><br>>>>>> Let me know if you have any comments or ideas,<br>>>>>><br>>>>>> Troy<br>>>>>><br>>>>>><br>>>>>><br>>>>>> _______________________________________________<br>>>>>> sword-devel mailing list: sword-devel@crosswire.org<br>>>>>> http://www.crosswire.org/mailman/listinfo/sword-devel<br>>>>>> Instructions to unsubscribe/change your settings at above page<br>>>>>><br>>>>><br>>>>> _______________________________________________<br>>>>> sword-devel mailing list: sword-devel@crosswire.org<br>>>>> http://www.crosswire.org/mailman/listinfo/sword-devel<br>>>>> Instructions to unsubscribe/change your settings at above page<br>>>>><br>>>>> _______________________________________________<br>>>>> sword-devel mailing list: sword-devel@crosswire.org<br>>>>> http://www.crosswire.org/mailman/listinfo/sword-devel<br>>>>> Instructions to unsubscribe/change your settings at above page<br>>><br>>><br>>> _______________________________________________<br>>> sword-devel mailing list: sword-devel@crosswire.org<br>>> http://www.crosswire.org/mailman/listinfo/sword-devel<br>>> Instructions to unsubscribe/change your settings at above page<br>>><br>><br>><br>> _______________________________________________<br>> sword-devel mailing list: sword-devel@crosswire.org<br>> http://www.crosswire.org/mailman/listinfo/sword-devel<br>> Instructions to unsubscribe/change your settings at above page<br><br>_______________________________________________<br>sword-devel mailing list: sword-devel@crosswire.org<br>http://www.crosswire.org/mailman/listinfo/sword-devel<br>Instructions to unsubscribe/change your settings at above page</blockquote><div><br></div><div><br></div></blockquote></sword-devel@crosswire.org></dfhdfh@protonmail.com></div></blockquote></div><br>-- <br>Sent from my Android device with K-9 Mail. Please excuse my brevity.</body></html>