Google Git
Sign in
chromium / chromium / src / tools / md_browser / 0bc03ce7bfd7a4626a9d41eec938fc688b42a8dd
commit0bc03ce7bfd7a4626a9d41eec938fc688b42a8dd[log] [tgz]
authorYuta Kitamura <yutak@chromium.org>Fri Jul 28 07:29:10 2017
committerCommit Bot <commit-bot@chromium.org>Fri Jul 28 07:29:10 2017
treebcf9b4efdab6c8157b859c1de723927b203e8084
parent4e5ea637f836ad93e6cf542504451077d27185bf [diff]
md_brower: Escape URL and file names correctly.

md_browser did not escape URL paths and file names in several pages including
the 404 page, which made simple XSS possible by requesting a URL containing
"<script>".

This patch adds HTML escapes in places where a URL path or a file name is
printed. This patch also decodes the percent encodings in the request path
so that files containing symbols in their names can be shown correctly.

Note that md_browser is a simple tool that is only used locally, thus this
XSS is not really a big problem. However, there's no reason to leave those
holes open.

Change-Id: I71da5e388909abd61ea58036edfdf8277ecda420
Reviewed-on: https://chromium-review.googlesource.com/585513
Reviewed-by: Dirk Pranke <dpranke@chromium.org>
Commit-Queue: Yuta Kitamura <yutak@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#490310}
Cr-Mirrored-From: https://chromium.googlesource.com/chromium/src
Cr-Mirrored-Commit: e11db126ab1874bd2442e60f18d34c10f3697742
1 file changed
tree: bcf9b4efdab6c8157b859c1de723927b203e8084
  1. .gitignore
  2. __init__.py
  3. base.css
  4. doc.css
  5. footer.html
  6. gitiles_autolink.py
  7. gitiles_ext_blocks.py
  8. gitiles_smart_quotes.py
  9. header.html
  10. md_browser.py
  11. OWNERS
  12. prettify.css
  13. README.md
  14. update-css.sh
README.md

md_browser

This is a simple tool to render the markdown docs in a chromium checkout locally. It is written in Python and uses the Python ‘markdown’ package, which is checked into src/third_party.

md_browser attempts to emulate the flavor of Markdown implemented by Gitiles.

Gitiles is the source browser running on https://chromium.googlesource.com, and can be run locally, but to do so requires a Java install and a Buck install, which can be slightly annoying to set up on Mac or Windows.

This is a lighterweight solution, which also allows you to preview uncommitted changes (i.e., it just serves files out of the filesystem, and is not a full Git repo browser like Gitiles is).

To run md_browser:

  1. cd to the top of your chromium checkout

  2. run python tools/md_browser/md_browser.py

  3. There is no step three.

This will run a local web server on port 8080 that points to the top of the repo. You can specify a different port with the -p flag.