a11y: allow aria-label and aria-hidden tags on pre tags #349
No reviewers
Labels
No labels
approved, awaiting change
bug
configuration
documentation
duplicate
enhancement
extremely low priority
feature request
Fix it yourself
help wanted
invalid
mastodon_api
needs docs
needs tests
not a bug
planned
pleroma_api
privacy
question
static_fe
triage
wontfix
No milestone
No project
No assignees
2 participants
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference: AkkomaGang/akkoma#349
Loading…
Reference in a new issue
No description provided.
Delete branch "(deleted):a11y/aria"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
close #153 (ooh an oldie)
would help accessibility a ton, and would let people post ascii art without worrying about messing up people's screenreaders
honestly i'm starting to be of the mindset that HTML posting is silly - does anyone actually use it?
Honestly if most forums/boards out there disallow HTML posting, it's probably for the better for it to be disallowed in the context of interactive social media.
i've seen a few people use it
it allows for some of the mfm things but with a different markup
it doesn't have any security vulns i don't see a reason it should be removed really
If you're able to add arbitrary tags like this, then the only thin line protecting you from said vulnerabilities is the HTML sanitiser and a likely XSS waiting to happen because the default Akkoma (seems to be a Pleroma relic) CSP is to allow unsafe-inline CSS, and (what seems to be) allowing unsafe-inline for JavaScript too from a quick search for
unsafe-inline, andunsafe-eval(????).If HTML posting is going to exist, then there needs to be better protections than a single sanitiser. As is, arbitrary HTML posting poses quite a pretty large risk that some instances are already disabling it. A stronger CSP would be a good start, but apparently that breaks MFM which is quite problematic.
like iunno any instance could already send whatever html it wants and we can't do anything about it except sanitize it
removing it when outgoing is gonna do nothing
s/could already send/sends, actuallywe only deal with the incoming html except with misskey
As I mentioned above, a strong CSP substantially helps in the event the sanitiser doesn't work to further mitigate the risk of malicious CSS and JavaScript. So yes we actually can do something about it.
https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
Akkoma's (and Pleroma's) current dynamic CSP has mentions of extremely permissive directives like
unsafe-inline,unsafe-eval, anddata:.With recent incidents like activitypub-proxy and activitypub-troll, it clearly shows that some security needs to start being taken seriously.
If the feature itself poses a risk and very few to anyone is using said feature, there's very little harm in removing this and could signal others to do the same.
It's not any different than when Akkoma recently removed ruffle.js (ruffle.rs).
AkkomaGang/akkoma-fe#263
does the feature itself pose a risk? from what i understand it's not this html post option being problematic, it's html sanitization in general, both in and out
if few people use it then surely removing it wouldn't reduce the risk
thanks for reminding me, i've significantly tightened the CSP in
336d06b2a8in this case then, does removing html posting really improve anything security wise? it won't get rid of html posts inbound, after all
plan is to remove html posting, no need for this
Pull request closed