prosody
0.11.12
doc/coding_style.txt
Software / code / prosody
File
doc/coding_style.txt @ 12181:783056b4e448 0.11 0.11.12
util.xml: Do not allow doctypes, comments or processing instructions
Yes. This is as bad as it sounds. CVE pending.
In Prosody itself, this only affects mod_websocket, which uses util.xml
to parse the <open/> frame, thus allowing unauthenticated remote DoS
using Billion Laughs. However, third-party modules using util.xml may
also be affected by this.
This commit installs handlers which disallow the use of doctype
declarations and processing instructions without any escape hatch. It,
by default, also introduces such a handler for comments, however, there
is a way to enable comments nontheless.
This is because util.xml is used to parse human-facing data, where
comments are generally a desirable feature, and also because comments
are generally harmless.
| author | Jonas Schäfer <jonas@wielicki.name> |
|---|---|
| date | Mon, 10 Jan 2022 18:23:54 +0100 |
| parent | 8728:41c959c5c84b |
line wrap: on
line source
This file describes some coding styles to try and adhere to when contributing to this project. Please try to follow, and feel free to fix code you see not following this standard. == Indentation == 1 tab indentation for all blocks == Spacing == No space between function names and parenthesis and parenthesis and parameters: function foo(bar, baz) Single space between braces and key/value pairs in table constructors: { foo = "bar", bar = "foo" } == Local variable naming == In this project there are many places where use of globals is restricted, and locals used for faster access. Local versions of standard functions should follow the below form: math.random -> m_random string.char -> s_char == Miscellaneous == Single-statement blocks may be written on one line when short if foo then bar(); end 'do' and 'then' keywords should be placed at the end of the line, and never on a line by themself.
