TTRSS interaction with " in title value

I’m pretty sure the problem here originates with Reddit, and I’m only really posting here in case the outcome in TT-RSS is undesirable.

Let’s get the basics out of the way. Haven’t gotten around to building a test environment to figure out migrating to a docker setup, so…

Xubuntu 18.04.3
Apache 2.4.29 (Ubuntu)
PHP 7.2.24-0ubuntu0.18.04.2
Postgres 9.6.8
Not sure which commit I was on initially, but upgraded and behavior continued on TTRSS v20.01-01513aa41
Firefox 72.0.1 on Windows 10 client
Chrome 79.0.3945.130 on Windows 10 client
TTRSS app 1.277 (511) Build timestamp 2019.11.30 05:30:21
TTRSS is set for Combined Mode, show content preview in headlines
Edit for plugins:
auth_internal, af_comics, af_fsckportal, af_redditimgur, af_tumblr_1280, af_unburn, af_youtube_embed, af_zz_noautoplay, feedstatistics, no_iframes, no_url_hashes, note, tumblr_gdpr_ua
If you want a feed to test/duplicate with, pastebin here: <?xml version="1.0" encoding="UTF-8"?><feed xmlns="http://www.w3.org/2005/Atom"> - Pastebin.com

Symptoms and examination:
Noticed that my Reddit category had an unread entry. Clicked on the category; nothing on the right. Okay, weird.

After investigation, the article does not appear in Firefox or in Chrome when it should. (checked that it was retrieved with browser debug tools)

It does show up in the TTRSS app.

If you scroll through articles with Ctrl+Arrow, the active article skips over the missing article completely.

If you select all, you can mark it as read/unread.

At one point, I was able to make it the active article when no others were available (cannot remember how I did this?) and could open with o, which is how I discovered it had quotes in the title.

From Firefox’s source, to give an idea of what’s going wrong:
<a class=“title” title=“Discreet " trail”=“” lights=“” in=“” factory=“” cutouts=“” within=“” my=“” grille"=“” target=“_blank” rel=“noopener noreferrer” href=“https://www.reddit.com/r/battlewagon/comments/epqzm5/discreet_trail_lights_hidden_in_factory_cutouts/” hidden=“”>

In Firefox, the div for this entry is completely greyed out. Not familiar enough with inspector to know what that indicates, but fixing the quotes in the entry did not make it appear normally.

I ran the feed through myfeedsucks just to see how it was being interpreted, if anything seemed odd, etc. Nothing noteworthy seemed to happen.

When the article was initially imported, I had af_redditimgur enabled. I tried disabling it and fetching via feed debugger with refetch/rehash enabled, no change in how everything appeared in the web client.

I wouldn’t be surprised if Reddit wasn’t escaping the quote properly, but in the end, the invisible article and the escape into HTML seemed less than ideal, so I felt I had the responsibility to report it was happening. Nothing seemed to actually break, other than the hidden entry. I didn’t see anything in the error log. Nothing appear to have come out in the daemon’s command line.

If this isn’t a concern, then disregard. Searched the forum for amp quot just to see if anything relevant came up; didn’t seem to be.

You should try again in private browsing/incognito mode with extensions disabled.

That usually means the element is there, but not visible (such as when CSS display:none is used on an element).

Didn’t think of that, especially with uBlock. Tested in Chrome, opened private session, disabled extensions, opened up TTRSS. Entry is still hidden. When mousing over the div, nothing is highlighted. In styles, it does have div[Attributes Style] { display: none; }, now that I knew to look for it. I can’t seem to edit it like other CSS attributes.

You’ve got me realizing other plugins could be culprits, so I’ll add those to the first post.

Do you have custom CSS set in TT-RSS > Preferences?

Something that was meant to adjust image sizes down, and something that affected scrolling at one point, although the changes a few months ago may have rendered that moot.

.cdm .intermediate img, .cdm .intermediate video, .cdm .content-inner img, .cdm .content-inner video {
border-width: 0;
max-width: 1000px;
height: auto;
display: inherit;
}
/* Add enough whitespace to scroll headlines to the top. */
body.ttrss_main #headlines-frame #headlines-spacer {
height: 100%;

I can see the display: inherit and I would think that the code would apply to all entries on the feed, if .cdm was the culprit, but CSS is very much a weak point for me.

edit:
Sorry, needed a minute before I could follow through completely. Removed user css, article still hidden. Firefox does not show display: none among the properties.

Also, I’m not certain that there’s an issue there, but any concern about the title being interpreted as properties of the A tag? Not sure if it’s possible to navigate anything tricky through the escapes/unescapes, but I wouldn’t be sure where to begin looking.

Edit 2:
Ey, Firefox was a little friendlier. display: block inherited from html.css on line 104 (“article,”) leads to display:block;

looks like this article is visible in three panel mode though but yeah it gets hidden in combined mode. very nice.


in this particular case the magic is in the article title - first it breaks escaping because of quotes and then the div is hidden because the word “hidden” is parsed as an attribute.

i’m not sure if this is exploitable further, that is you can somehow run feed-supplied javascript through this, but it is a legitimate issue.

i did some googling and it looks that ES6 template strings don’t escape quotes (which i assumed wrongly, i guess) so some additional sanitization is needed there before rendering.

it doesn’t break in three panel mode because we don’t have a data-article-title custom attribute there.

here’s a fix: https://git.tt-rss.org/fox/tt-rss/commit/303f8fb329ff75e41559806c9affd8c3c49504b0 which should deal with all (?) occurences of strings rendered to html attributes unquoted.

again, i’m not sure if this could be exploited via feed data (it seems very unlikely) but markup breakage is a rather serious issue so i recommend everyone to update.

thanks to @linoth for reporting this. :+1:

Missed hidden when I was looking through html.css. That makes sense.

Updated to latest git image, and the original article (without being updated) shows up again. Added and forced the /r/battlewagon rss feed to update, and nothing in error log or coming out of the update daemon.

Thank you for looking into that, fox. I’m not remotely enough of a coder to pick it apart, but seeing the article title as properties was an immediate warning bell.