Author: F-Droid
Source
F-Droid aims to give app developers a nice way to present their apps to
users. Each app can include descriptions, related metadata, and
translations.
We have just updated the list of HTML formatting tags that are allowed in
app descriptions to make it clearer what works and what does not. This
should make it easier to sync the description texts with other app stores
that also allow some HTML. There are two key
changes to
the website generation:
- Disallowed HTML tags are now automatically removed (“stripped”), whereas
before they were escaped (e.g.<script>). - The list of allowed tags
is now strictly enforced.
This change was prompted by some security
issues in Loofah, the tool
we rely on to strip dangerous HTML from the app descriptions. f-droid.org
uses multiple layers of defense, that greatly limits the scope of security
vulnerabilities. For example, this site includes a Content Security
Policy
that disables the most dangerous features, and
limits the rest to
URLs that are part of this site.
For those interested in the technical details: HTML allows data blobs to be
included inline via the data: scheme. That can then be abused to load
malicious things. Loofah was not properly handling those. This site’s
Content Security Policy already disallows all uses of data:, so it was not
an issue here. The self keyword means “only allow resources from the
current
origin”,
and that is https://f-droid.org.
