Skip to content

URL sanitizer for help pages #3844

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 16 commits into from
Nov 2, 2025
Merged

URL sanitizer for help pages #3844

merged 16 commits into from
Nov 2, 2025

Conversation

@tpurschke
Copy link
Contributor

@tpurschke tpurschke commented Oct 27, 2025
edited
Loading

closing #3810
not using this sanitizer to protect _blazor calls as this is unnecessary and may break things

@tpurschke tpurschke changed the title first throw url sanitizer URL sanitizer for help pages Oct 29, 2025
@tpurschke tpurschke requested a review from Robin-Smets October 29, 2025 07:00
@tpurschke tpurschke marked this pull request as ready for review October 29, 2025 07:24
@SolidProgramming
Copy link
Contributor

SolidProgramming commented Oct 30, 2025
edited by tpurschke
Loading

@tpurschke Maybe add some test cases from XSS_Filter_Evasion_Cheat_Sheet ?

good thinking but because of time-criticality I would like to postpone this - could you please create an issue for this which we can tackle later?

@Robin-Smets
Copy link
Contributor

Robin-Smets commented Oct 30, 2025

I would be happy to review this, but I dont have any clue how to test it. In respect of our short cut time window I would suggest, that the testing should be done, by somebody who is familiar with these kind of attacks, so that we dont have to spend the time I need to research this topic. Best would be if somebody who is familiar with this topic could do the testing and I could just witness the act, so that I know for the next time.

@tpurschke
Copy link
Contributor Author

tpurschke commented Oct 30, 2025

I would be happy to review this, but I dont have any clue how to test it. In respect of our short cut time window I would suggest, that the testing should be done, by somebody who is familiar with these kind of attacks, so that we dont have to spend the time I need to research this topic. Best would be if somebody who is familiar with this topic could do the testing and I could just witness the act, so that I know for the next time.

shall we have a quick call regarding this issue so that I can show you the ropes?

@Robin-Smets
Copy link
Contributor

Robin-Smets commented Oct 30, 2025

I would be happy to review this, but I dont have any clue how to test it. In respect of our short cut time window I would suggest, that the testing should be done, by somebody who is familiar with these kind of attacks, so that we dont have to spend the time I need to research this topic. Best would be if somebody who is familiar with this topic could do the testing and I could just witness the act, so that I know for the next time.

shall we have a quick call regarding this issue so that I can show you the ropes?

Let's do that tommorow.

@tpurschke
Copy link
Contributor Author

tpurschke commented Oct 31, 2025

@SolidProgramming @NilsPur adding some more eyes - your review is appreciated for this security fix

@sonarqubecloud
Copy link

sonarqubecloud bot commented Nov 2, 2025

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@tpurschke tpurschke merged commit 65f5662 into CactuseSecurity:importer-rework Nov 2, 2025
3 checks passed
@SolidProgramming
Copy link
Contributor

SolidProgramming commented Nov 3, 2025

The thing handeled with "MyRegex", "MyRegex1", "MyRegex2" is bad named. I would haven taken a look at the cleaning because i would have done this with more regex but i guess it's not needed anymore.

@tpurschke tpurschke deleted the fix-security-url-sanitizing branch November 8, 2025 14:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@NilsPur NilsPur NilsPur approved these changes

@Robin-Smets Robin-Smets Awaiting requested review from Robin-Smets

@SolidProgramming SolidProgramming Awaiting requested review from SolidProgramming

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@tpurschke @SolidProgramming @Robin-Smets @NilsPur