commit | 0bc03ce7bfd7a4626a9d41eec938fc688b42a8dd | [log] [tgz] |
---|---|---|
author | Yuta Kitamura <yutak@chromium.org> | Fri Jul 28 07:29:10 2017 |
committer | Commit Bot <commit-bot@chromium.org> | Fri Jul 28 07:29:10 2017 |
tree | bcf9b4efdab6c8157b859c1de723927b203e8084 | |
parent | 4e5ea637f836ad93e6cf542504451077d27185bf [diff] |
md_brower: Escape URL and file names correctly. md_browser did not escape URL paths and file names in several pages including the 404 page, which made simple XSS possible by requesting a URL containing "<script>". This patch adds HTML escapes in places where a URL path or a file name is printed. This patch also decodes the percent encodings in the request path so that files containing symbols in their names can be shown correctly. Note that md_browser is a simple tool that is only used locally, thus this XSS is not really a big problem. However, there's no reason to leave those holes open. Change-Id: I71da5e388909abd61ea58036edfdf8277ecda420 Reviewed-on: https://chromium-review.googlesource.com/585513 Reviewed-by: Dirk Pranke <dpranke@chromium.org> Commit-Queue: Yuta Kitamura <yutak@chromium.org> Cr-Original-Commit-Position: refs/heads/master@{#490310} Cr-Mirrored-From: https://chromium.googlesource.com/chromium/src Cr-Mirrored-Commit: e11db126ab1874bd2442e60f18d34c10f3697742
This is a simple tool to render the markdown docs in a chromium checkout locally. It is written in Python and uses the Python ‘markdown’ package, which is checked into src/third_party.
md_browser attempts to emulate the flavor of Markdown implemented by Gitiles.
Gitiles is the source browser running on https://chromium.googlesource.com, and can be run locally, but to do so requires a Java install and a Buck install, which can be slightly annoying to set up on Mac or Windows.
This is a lighterweight solution, which also allows you to preview uncommitted changes (i.e., it just serves files out of the filesystem, and is not a full Git repo browser like Gitiles is).
To run md_browser:
cd to the top of your chromium checkout
run python tools/md_browser/md_browser.py
There is no step three.
This will run a local web server on port 8080 that points to the top of the repo. You can specify a different port with the -p
flag.