-
-
Notifications
You must be signed in to change notification settings - Fork 562
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Teleporter: use of apostrophes results with clients desc "'" and adlists desc "'" #1928
Comments
The reason is that line converting all characters to their respective HTML entities. This prevents insertion of malicious code. The same issue was discussed here I still think the security aspect outweigh the visual bug. But happy to here from @pi-hole/web-approvers |
Just thinking out loud, can't we use |
I reviewed 1733 and appreciate the response. My thoughts as a security professional. Exporting and importing data must result with the same values unless changes are intentional, i.e. data integrity. If the user is entering unexpected values then prevent it through input validation. To improve the user experience, communicate on the form what characters are permitted or not permitted. Alternatively, alert them when input validation fails. I am hazy on the security concern. I saw malicious code being cited but what is the threat vector? Where I am going with this is the threat and vector, generally, dictate the security control, so is the current remediation appropriate or even effective? Not meaning to poke holes. Loving Pi-hole and the work you guys are doing. |
In lieu of a bug fix as a long term solution, I was able to import my Teleporter export file after corrections using a shell script. Hopefully, this issue will be resolved soon, but in the meantime I am able to move forward.
|
@yubiuser, nice catch! Let me know if I need to update the title or take some action to push it forward. I appreciate your timely response and efforts. |
Thanks, no need to change the title. We are aware of this bug. The whole encoding/decoding needs a proper re-write. We just need to find the time to do this.
PR's are always welcomed :) |
Understood. Thank you. |
Versions
Platform
Expected behavior
When using an apostrophe (
'
) in Adlists or configured client description, the expectation is Teleporter will export and import original character.Actual behavior / bug
The apostrophe is imported as
"'"
or"&#039"
Steps to reproduce
Steps to reproduce the behavior:
Source pi-hole
Target pi-hole
"'"
"'"
Debug Token
Screenshots
If applicable, add screenshots to help explain your problem.
Additional context
echo $LANG
en_US.UTF-8
The text was updated successfully, but these errors were encountered: