From: Hans-Christoph Steiner <hans@eds.org>
Date: Tue, 27 Feb 2018 11:09:54 +0000 (+0100)
Subject: lint: ban all dangerous HTML tags
X-Git-Tag: 1.0.3~22^2
X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?p=fdroidserver.git;a=commitdiff_plain;h=498ea5d6095784841538e61892a8cfbfe6eecc48

lint: ban all dangerous HTML tags

* https://en.wikipedia.org/wiki/HTML_sanitization
* https://asostack.com/enhance-your-google-play-store-description-with-rich-formatting-and-emojis-5f50ff354e5f
---

diff --git a/fdroidserver/lint.py b/fdroidserver/lint.py
index 315a61b8..b0a5cad7 100644
--- a/fdroidserver/lint.py
+++ b/fdroidserver/lint.py
@@ -164,7 +164,7 @@ regex_checks = {
          _("Unnecessary leading space")),
         (re.compile(r'.*\s$'),
          _("Unnecessary trailing space")),
-        (re.compile(r'.*<(iframe|link|script).*'),
+        (re.compile(r'.*<(applet|base|body|button|embed|form|head|html|iframe|img|input|link|object|picture|script|source|style|svg|video).*', re.IGNORECASE),
          _("Forbidden HTML tags")),
         (re.compile(r'''.*\s+src=["']javascript:.*'''),
          _("Javascript in HTML src attributes")),
diff --git a/tests/lint.TestCase b/tests/lint.TestCase
index 433c0787..ad9f0514 100755
--- a/tests/lint.TestCase
+++ b/tests/lint.TestCase
@@ -3,6 +3,7 @@
 # http://www.drdobbs.com/testing/unit-testing-with-python/240165163
 
 import inspect
+import logging
 import optparse
 import os
 import shutil
@@ -23,6 +24,14 @@ import fdroidserver.lint
 class LintTest(unittest.TestCase):
     '''fdroidserver/lint.py'''
 
+    def setUp(self):
+        logging.basicConfig(level=logging.INFO)
+        self.basedir = os.path.join(localmodule, 'tests')
+        self.tmpdir = os.path.abspath(os.path.join(self.basedir, '..', '.testfiles'))
+        if not os.path.exists(self.tmpdir):
+            os.makedirs(self.tmpdir)
+        os.chdir(self.basedir)
+
     def test_check_for_unsupported_metadata_files(self):
         config = dict()
         fdroidserver.common.fill_config_defaults(config)
@@ -31,8 +40,8 @@ class LintTest(unittest.TestCase):
         fdroidserver.lint.config = config
         self.assertTrue(fdroidserver.lint.check_for_unsupported_metadata_files())
 
-        tmpdir = os.path.join(localmodule, '.testfiles')
-        tmptestsdir = tempfile.mkdtemp(prefix=inspect.currentframe().f_code.co_name, dir=tmpdir)
+        tmptestsdir = tempfile.mkdtemp(prefix=inspect.currentframe().f_code.co_name,
+                                       dir=self.tmpdir)
         self.assertFalse(fdroidserver.lint.check_for_unsupported_metadata_files(tmptestsdir + '/'))
         shutil.copytree(os.path.join(localmodule, 'tests', 'metadata'),
                         os.path.join(tmptestsdir, 'metadata'),
@@ -42,6 +51,24 @@ class LintTest(unittest.TestCase):
                     os.path.join(tmptestsdir, 'metadata'))
         self.assertTrue(fdroidserver.lint.check_for_unsupported_metadata_files(tmptestsdir + '/'))
 
+    def test_forbidden_html_tags(self):
+        config = dict()
+        fdroidserver.common.fill_config_defaults(config)
+        fdroidserver.common.config = config
+        fdroidserver.lint.config = config
+
+        app = {
+            'Name': 'Bad App',
+            'Summary': 'We pwn you',
+            'Description': 'This way: <style><img src="</style><img src=x onerror=alert(1)//">',
+        }
+
+        anywarns = False
+        for warn in fdroidserver.lint.check_regexes(app):
+            anywarns = True
+            logging.debug(warn)
+        self.assertTrue(anywarns)
+
 
 if __name__ == "__main__":
     parser = optparse.OptionParser()