lint: ban all dangerous HTML tags

* https://en.wikipedia.org/wiki/HTML_sanitization
* https://asostack.com/enhance-your-google-play-store-description-with-rich-formatting-and-emojis-5f50ff354e5f

diff --git a/fdroidserver/lint.py b/fdroidserver/lint.py
index 315a61b880d6d12417c377f2cce063f4705bd89d..b0a5cad76f93f52fb33752519bd98602e5605cf9 100644 (file)
--- a/fdroidserver/lint.py
+++ b/fdroidserver/lint.py
@@ -164,7 +164,7 @@ regex_checks = {
          _("Unnecessary leading space")),
         (re.compile(r'.*\s$'),
          _("Unnecessary trailing space")),
-        (re.compile(r'.*<(iframe|link|script).*'),
+        (re.compile(r'.*<(applet|base|body|button|embed|form|head|html|iframe|img|input|link|object|picture|script|source|style|svg|video).*', re.IGNORECASE),
          _("Forbidden HTML tags")),
         (re.compile(r'''.*\s+src=["']javascript:.*'''),
          _("Javascript in HTML src attributes")),

diff --git a/tests/lint.TestCase b/tests/lint.TestCase
index 433c07875d8f39755f6af072bc7c113d3b2455e6..ad9f0514f1791c46b228389200a7cc50c5b2747e 100755 (executable)
--- a/tests/lint.TestCase
+++ b/tests/lint.TestCase
@@ -3,6 +3,7 @@
 # http://www.drdobbs.com/testing/unit-testing-with-python/240165163
 
 import inspect
+import logging
 import optparse
 import os
 import shutil
@@ -23,6 +24,14 @@ import fdroidserver.lint
 class LintTest(unittest.TestCase):
     '''fdroidserver/lint.py'''
 
+    def setUp(self):
+        logging.basicConfig(level=logging.INFO)
+        self.basedir = os.path.join(localmodule, 'tests')
+        self.tmpdir = os.path.abspath(os.path.join(self.basedir, '..', '.testfiles'))
+        if not os.path.exists(self.tmpdir):
+            os.makedirs(self.tmpdir)
+        os.chdir(self.basedir)
+
     def test_check_for_unsupported_metadata_files(self):
         config = dict()
         fdroidserver.common.fill_config_defaults(config)
@@ -31,8 +40,8 @@ class LintTest(unittest.TestCase):
         fdroidserver.lint.config = config
         self.assertTrue(fdroidserver.lint.check_for_unsupported_metadata_files())
 
-        tmpdir = os.path.join(localmodule, '.testfiles')
-        tmptestsdir = tempfile.mkdtemp(prefix=inspect.currentframe().f_code.co_name, dir=tmpdir)
+        tmptestsdir = tempfile.mkdtemp(prefix=inspect.currentframe().f_code.co_name,
+                                       dir=self.tmpdir)
         self.assertFalse(fdroidserver.lint.check_for_unsupported_metadata_files(tmptestsdir + '/'))
         shutil.copytree(os.path.join(localmodule, 'tests', 'metadata'),
                         os.path.join(tmptestsdir, 'metadata'),
@@ -42,6 +51,24 @@ class LintTest(unittest.TestCase):
                     os.path.join(tmptestsdir, 'metadata'))
         self.assertTrue(fdroidserver.lint.check_for_unsupported_metadata_files(tmptestsdir + '/'))
 
+    def test_forbidden_html_tags(self):
+        config = dict()
+        fdroidserver.common.fill_config_defaults(config)
+        fdroidserver.common.config = config
+        fdroidserver.lint.config = config
+
+        app = {
+            'Name': 'Bad App',
+            'Summary': 'We pwn you',
+            'Description': 'This way: <style><img src="</style><img src=x onerror=alert(1)//">',
+        }
+
+        anywarns = False
+        for warn in fdroidserver.lint.check_regexes(app):
+            anywarns = True
+            logging.debug(warn)
+        self.assertTrue(anywarns)
+
 
 if __name__ == "__main__":
     parser = optparse.OptionParser()