Skip to content

fix: sanitize image src in ForumState HTML output#270

Open
uchia6861-tech wants to merge 1 commit into
google-deepmind:mainfrom
uchia6861-tech:main
Open

fix: sanitize image src in ForumState HTML output#270
uchia6861-tech wants to merge 1 commit into
google-deepmind:mainfrom
uchia6861-tech:main

Conversation

@uchia6861-tech

Copy link
Copy Markdown

Escape image URL attributes and add URL scheme validation
in _render_post_image() and the reply image block in to_html()
to prevent potential HTML injection via unsanitized src values.

Changes:

  • Pass image src through _escape_html() before rendering into img attribute
  • Add URL scheme allowlist (https://, http://, data:image/) to block javascript: URIs
  • Applied consistently to both post images and reply images

Escape image URL attributes and add URL scheme validation
in _render_post_image() and the reply image block in to_html()
to prevent potential HTML injection via unsanitized src values.
@google-cla

google-cla Bot commented May 1, 2026

Copy link
Copy Markdown

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

@uchia6861-tech uchia6861-tech marked this pull request as draft May 2, 2026 11:40
@uchia6861-tech uchia6861-tech marked this pull request as ready for review May 2, 2026 11:40
@uchia6861-tech

Copy link
Copy Markdown
Author

@googlebot I have signed the CLA.

1 similar comment
@uchia6861-tech

Copy link
Copy Markdown
Author

@googlebot I have signed the CLA.

@uchia6861-tech uchia6861-tech left a comment

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

fixed

@uchia6861-tech

Copy link
Copy Markdown
Author

@google-deepmind/concordia-team Hi, I have signed the Google CLA at
cla.developers.google.com with my email uchia6861@gmail.com but the
cla/google check is still failing. Could a maintainer help resolve this?
Thank you.

@uchia6861-tech

Copy link
Copy Markdown
Author

Hi team, I have a valid Google Individual CLA signed on May 3, 2026
with email uchia6861@gmail.com (GitHub account: uchia6861-tech) but
the cla/google bot check is still failing. Could a maintainer please
manually verify or override the CLA check? Thank you.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant