github/reddit
1
1
Fork 0
mirror of https://github.com/reddit-archive/reddit.git synced 2026-04-27 03:00:12 -04:00
Code Issues Packages Projects Releases Wiki Activity
7,236 Commits 1 Branch 0 Tags
8076ed13f105aaace740daa54f489a04e539b2d9
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
David King 8076ed13f1 Security fix: double escape more stuff in RSS feeds 
We have our Mako filters set to escape HTML by default. Unfortunately RSS
requires double escaping in some places and not in others, so there isn't a
reasonable default. Here I have done a pass through the `.xml` templates to find
user data that's ending up single-escaped and added double escaping to them.

This requirement is because RSS grew HTML support organically in a way that
clients can't tell if a field actually contains HTML or not. Sometimes it's
double escaped, sometimes it's not. Clients have to take a guess by sniffing for
`>` characters and hoping they get it right. This also means that it's
impossible for servers to reliably tell the clients which data this field
contains.

This is a bit of a ticking time bomb. Users may find ways to sneak in HTML in
the date field, or we may add new templates that forget to do double escaping on
little-used fields. I recommend that we switch these to use Atom which always
indicates whether the fields contain HTML or not. Work has started on this
conversion in another branch.

* ref https://www.reddit.com/r/AskNetsec/comments/41larg/titleheadbody_idmsgfeedsummarybodyimg/
* ref https://reddit.atlassian.net/browse/INFRA-721
* ref https://bugzilla.mozilla.org/show_bug.cgi?id=1240603
2016-02-18 15:33:59 -08:00
install
install-reddit: Add reddit-serve helper script
2016-02-18 12:27:03 -05:00
r2
Security fix: double escape more stuff in RSS feeds
2016-02-18 15:33:59 -08:00
scripts
Fix a bug in compute_time_listings that would allow simultaneous runs
2016-02-18 15:33:01 -08:00
solr
Search providers
2015-05-13 12:47:41 -07:00
upstart
Install and configure mcrouter.
2016-01-06 10:18:58 -08:00
.gitignore
Add Vagrantfile.
2015-12-07 10:24:25 -08:00
.travis.yml
Add Travis-CI integration.
2016-01-14 15:50:47 -08:00
CONTRIBUTING.md
Add rules about style and translation PRs
2015-07-30 10:40:09 -07:00
install-reddit.sh
Fix install-reddit.sh to once again work via wget without checkout out the repository
2016-01-28 11:25:54 -08:00
LICENSE
Update license headers to 2015.
2015-01-08 13:35:03 -08:00
README.md
Fix capitalization of freenode in README
2015-11-11 14:06:20 -07:00
SECURITY.md
HTTPSify all the links
2015-09-24 12:00:28 -07:00
Vagrantfile
vagrant: Ensure host's code path is set correctly
2016-02-11 10:36:39 -08:00

README.md

reddit

Greetings!

This is the primary codebase that powers reddit.com.

For notices about major changes and general discussion of reddit development, subscribe to the /r/redditdev and /r/changelog subreddits.

You can also chat with us via IRC in #reddit-dev on freenode.

Quickstart

To set up your own instance of reddit to develop with, we have a handy install script for Ubuntu that will automatically install and configure most of the stack.

Alternatively, refer to our Install Guide for instructions on setting up reddit from scratch. Many frequently asked questions regarding local reddit installs are covered in our FAQ.

APIs

To learn more about reddit's API, check out our automated API documentation and the API wiki page. Please use a unique User-Agent string and take care to abide by our API rules.

Happy hacking!

Issues and Contribution Guidelines

Thanks for wanting to help make reddit better! First things first, though: github issues is only for confirmed, active bugs. Please submit ideas to /r/ideasfortheadmins.

Please read more on contributions in CONTRIBUTING.md.

Reference in New Issue View Git Blame Copy Permalink
Description
No description provided
Readme 55 MiB
Languages
Python 54.4%
JavaScript 26.7%
HTML 11.3%
Less 4.5%
Shell 1%
Other 2%