From 4d97e4c0ad0367a493f55387a2f379d2a22ee8e5 Mon Sep 17 00:00:00 2001 From: Frank Breedijk Date: Thu, 19 Oct 2023 15:48:06 +0200 Subject: [PATCH 1/5] Using HTML5validator action --- .github/workflows/build_pages_native.yml | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/.github/workflows/build_pages_native.yml b/.github/workflows/build_pages_native.yml index aa0f8ba5..e614e510 100644 --- a/.github/workflows/build_pages_native.yml +++ b/.github/workflows/build_pages_native.yml @@ -25,8 +25,8 @@ jobs: uses: actions/setup-python@v4 with: python-version: '3.7' - - name: install prerequisites - run: pip3 install html5validator requests && gem install --no-document html-proofer +# - name: install prerequisites +# run: pip3 install html5validator requests && gem install --no-document html-proofer - name: Update external content run: ./update.sh - name: Clean up stubs @@ -35,8 +35,18 @@ jobs: run: bundle exec jekyll build --future 2>&1 | tee jekyll-build.log - name: "Fix security.txt" run: mkdir _site/.well-known && (cd _site/.well-known && ln -s ../security.txt) && ls -al _site/.well-known +# - name: Test HTML code +# run: ./proof_html.sh - name: Test HTML code - run: ./proof_html.sh + uses: Cyb3r-Jak3/html5validator-action@v7.2.0 + with: + root: _site/ + - name: Upload HTML test report + uses: actions/upload-artifact@v3 + if: success() || failure() # Run even if we had an error + with: + name: html5validator_log + path: log.log - name: rsync deploy uses: burnett01/rsync-deployments@5.2.1 if: ${{ github.ref == 'refs/heads/main' }} From 5b1328497d7f7371971c65650e81c5331717671a Mon Sep 17 00:00:00 2001 From: Frank Breedijk Date: Thu, 19 Oct 2023 15:50:17 +0200 Subject: [PATCH 2/5] Don't forget about python requests --- .github/workflows/build_pages_native.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/build_pages_native.yml b/.github/workflows/build_pages_native.yml index e614e510..0ed0408c 100644 --- a/.github/workflows/build_pages_native.yml +++ b/.github/workflows/build_pages_native.yml @@ -27,6 +27,8 @@ jobs: python-version: '3.7' # - name: install prerequisites # run: pip3 install html5validator requests && gem install --no-document html-proofer + - name: install prerequisites + run: pip3 install requests - name: Update external content run: ./update.sh - name: Clean up stubs From 3a8614d90711a8b7cfe9886314561e69d69e82b9 Mon Sep 17 00:00:00 2001 From: Frank Breedijk Date: Thu, 19 Oct 2023 15:57:10 +0200 Subject: [PATCH 3/5] Fix HTML error --- _posts/2022/22-08-10-Itarian-Full-Disclosure.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/_posts/2022/22-08-10-Itarian-Full-Disclosure.md b/_posts/2022/22-08-10-Itarian-Full-Disclosure.md index 094bd82a..d20618d8 100644 --- a/_posts/2022/22-08-10-Itarian-Full-Disclosure.md +++ b/_posts/2022/22-08-10-Itarian-Full-Disclosure.md @@ -82,7 +82,7 @@ The Token session cookie can be retrieved by abusing the XSS vulnerability in th Creating and bypassing approval consists of multiple steps. The vulnerability is easily exploited by calling the following three API endpoints in the following order: 1. /procedure/windows/create -2. /procedure/windows/update/id/ +2. /procedure/windows/update/id/\ 3. /procedure/run/device-all The first API call is used to create a procedure, the second is used to add arbitrary Python code and the last API call bypasses approval and pushes the procedure to all devices. These three steps have been automated in a Python POC which can be found [here](https://github.com/DIVD-NL/Itarian-2021-00037/blob/main/POC/CVE-2022-25152-POC.py) From 35b5ae791fec2b0f9d15f53f2b7ed6bc151dae9f Mon Sep 17 00:00:00 2001 From: Frank Breedijk Date: Thu, 19 Oct 2023 16:07:20 +0200 Subject: [PATCH 4/5] Minify HTML output too --- _config.yml | 11 ++++++++++- _layouts/compress.html | 10 ++++++++++ _layouts/default.html | 4 ++++ 3 files changed, 24 insertions(+), 1 deletion(-) create mode 100644 _layouts/compress.html diff --git a/_config.yml b/_config.yml index ae89a031..8a4a878a 100644 --- a/_config.yml +++ b/_config.yml @@ -54,7 +54,16 @@ defaults: scope: path: "" # an empty string here means all files in the project values: - layout: "default" + layout: "default" + +compress_html: + clippings: all + comments: [""] + endings: [html, head, body, li, dt, dd, rt, rp, optgroup, option, colgroup, caption, thead, tbody, tfoot, tr, td, th] + profile: false + blanklines: false + ignore: + envs: [] exclude: diff --git a/_layouts/compress.html b/_layouts/compress.html new file mode 100644 index 00000000..bb34487d --- /dev/null +++ b/_layouts/compress.html @@ -0,0 +1,10 @@ +--- +# Jekyll layout that compresses HTML +# v3.1.0 +# http://jch.penibelst.de/ +# © 2014–2015 Anatol Broder +# MIT License +--- + +{% capture _LINE_FEED %} +{% endcapture %}{% if site.compress_html.ignore.envs contains jekyll.environment or site.compress_html.ignore.envs == "all" %}{{ content }}{% else %}{% capture _content %}{{ content }}{% endcapture %}{% assign _profile = site.compress_html.profile %}{% if site.compress_html.endings == "all" %}{% assign _endings = "html head body li dt dd optgroup option colgroup caption thead tbody tfoot tr td th" | split: " " %}{% else %}{% assign _endings = site.compress_html.endings %}{% endif %}{% for _element in _endings %}{% capture _end %}{% endcapture %}{% assign _content = _content | remove: _end %}{% endfor %}{% if _profile and _endings %}{% assign _profile_endings = _content | size | plus: 1 %}{% endif %}{% for _element in site.compress_html.startings %}{% capture _start %}<{{ _element }}>{% endcapture %}{% assign _content = _content | remove: _start %}{% endfor %}{% if _profile and site.compress_html.startings %}{% assign _profile_startings = _content | size | plus: 1 %}{% endif %}{% if site.compress_html.comments == "all" %}{% assign _comments = "" | split: " " %}{% else %}{% assign _comments = site.compress_html.comments %}{% endif %}{% if _comments.size == 2 %}{% capture _comment_befores %}.{{ _content }}{% endcapture %}{% assign _comment_befores = _comment_befores | split: _comments.first %}{% for _comment_before in _comment_befores %}{% if forloop.first %}{% continue %}{% endif %}{% capture _comment_outside %}{% if _carry %}{{ _comments.first }}{% endif %}{{ _comment_before }}{% endcapture %}{% capture _comment %}{% unless _carry %}{{ _comments.first }}{% endunless %}{{ _comment_outside | split: _comments.last | first }}{% if _comment_outside contains _comments.last %}{{ _comments.last }}{% assign _carry = false %}{% else %}{% assign _carry = true %}{% endif %}{% endcapture %}{% assign _content = _content | remove_first: _comment %}{% endfor %}{% if _profile %}{% assign _profile_comments = _content | size | plus: 1 %}{% endif %}{% endif %}{% assign _pre_befores = _content | split: "" %}{% assign _pres_after = "" %}{% if _pres.size != 0 %}{% if site.compress_html.blanklines %}{% assign _lines = _pres.last | split: _LINE_FEED %}{% capture _pres_after %}{% for _line in _lines %}{% assign _trimmed = _line | split: " " | join: " " %}{% if _trimmed != empty or forloop.last %}{% unless forloop.first %}{{ _LINE_FEED }}{% endunless %}{{ _line }}{% endif %}{% endfor %}{% endcapture %}{% else %}{% assign _pres_after = _pres.last | split: " " | join: " " %}{% endif %}{% endif %}{% capture _content %}{{ _content }}{% if _pre_before contains "" %}{% endif %}{% unless _pre_before contains "" and _pres.size == 1 %}{{ _pres_after }}{% endunless %}{% endcapture %}{% endfor %}{% if _profile %}{% assign _profile_collapse = _content | size | plus: 1 %}{% endif %}{% if site.compress_html.clippings == "all" %}{% assign _clippings = "html head title base link meta style body article section nav aside h1 h2 h3 h4 h5 h6 hgroup header footer address p hr blockquote ol ul li dl dt dd figure figcaption main div table caption colgroup col tbody thead tfoot tr td th" | split: " " %}{% else %}{% assign _clippings = site.compress_html.clippings %}{% endif %}{% for _element in _clippings %}{% assign _edges = " ;; ;" | replace: "e", _element | split: ";" %}{% assign _content = _content | replace: _edges[0], _edges[1] | replace: _edges[2], _edges[3] | replace: _edges[4], _edges[5] %}{% endfor %}{% if _profile and _clippings %}{% assign _profile_clippings = _content | size | plus: 1 %}{% endif %}{{ _content }}{% if _profile %}
Step Bytes
raw {{ content | size }}{% if _profile_endings %}
endings {{ _profile_endings }}{% endif %}{% if _profile_startings %}
startings {{ _profile_startings }}{% endif %}{% if _profile_comments %}
comments {{ _profile_comments }}{% endif %}{% if _profile_collapse %}
collapse {{ _profile_collapse }}{% endif %}{% if _profile_clippings %}
clippings {{ _profile_clippings }}{% endif %}
{% endif %}{% endif %} diff --git a/_layouts/default.html b/_layouts/default.html index ee141c10..33f43328 100644 --- a/_layouts/default.html +++ b/_layouts/default.html @@ -1,3 +1,7 @@ +--- +layout: compress +--- + {% include header.html %} {% include navigation.html %} From 0bd5739a08176ce44d2db83f1437294a76ed96fc Mon Sep 17 00:00:00 2001 From: Frank Breedijk Date: Thu, 19 Oct 2023 16:10:26 +0200 Subject: [PATCH 5/5] Minifacation breaks mermaid graphs --- _layouts/compress.html | 10 ---------- _layouts/default.html | 4 ---- 2 files changed, 14 deletions(-) delete mode 100644 _layouts/compress.html diff --git a/_layouts/compress.html b/_layouts/compress.html deleted file mode 100644 index bb34487d..00000000 --- a/_layouts/compress.html +++ /dev/null @@ -1,10 +0,0 @@ ---- -# Jekyll layout that compresses HTML -# v3.1.0 -# http://jch.penibelst.de/ -# © 2014–2015 Anatol Broder -# MIT License ---- - -{% capture _LINE_FEED %} -{% endcapture %}{% if site.compress_html.ignore.envs contains jekyll.environment or site.compress_html.ignore.envs == "all" %}{{ content }}{% else %}{% capture _content %}{{ content }}{% endcapture %}{% assign _profile = site.compress_html.profile %}{% if site.compress_html.endings == "all" %}{% assign _endings = "html head body li dt dd optgroup option colgroup caption thead tbody tfoot tr td th" | split: " " %}{% else %}{% assign _endings = site.compress_html.endings %}{% endif %}{% for _element in _endings %}{% capture _end %}{% endcapture %}{% assign _content = _content | remove: _end %}{% endfor %}{% if _profile and _endings %}{% assign _profile_endings = _content | size | plus: 1 %}{% endif %}{% for _element in site.compress_html.startings %}{% capture _start %}<{{ _element }}>{% endcapture %}{% assign _content = _content | remove: _start %}{% endfor %}{% if _profile and site.compress_html.startings %}{% assign _profile_startings = _content | size | plus: 1 %}{% endif %}{% if site.compress_html.comments == "all" %}{% assign _comments = "" | split: " " %}{% else %}{% assign _comments = site.compress_html.comments %}{% endif %}{% if _comments.size == 2 %}{% capture _comment_befores %}.{{ _content }}{% endcapture %}{% assign _comment_befores = _comment_befores | split: _comments.first %}{% for _comment_before in _comment_befores %}{% if forloop.first %}{% continue %}{% endif %}{% capture _comment_outside %}{% if _carry %}{{ _comments.first }}{% endif %}{{ _comment_before }}{% endcapture %}{% capture _comment %}{% unless _carry %}{{ _comments.first }}{% endunless %}{{ _comment_outside | split: _comments.last | first }}{% if _comment_outside contains _comments.last %}{{ _comments.last }}{% assign _carry = false %}{% else %}{% assign _carry = true %}{% endif %}{% endcapture %}{% assign _content = _content | remove_first: _comment %}{% endfor %}{% if _profile %}{% assign _profile_comments = _content | size | plus: 1 %}{% endif %}{% endif %}{% assign _pre_befores = _content | split: "" %}{% assign _pres_after = "" %}{% if _pres.size != 0 %}{% if site.compress_html.blanklines %}{% assign _lines = _pres.last | split: _LINE_FEED %}{% capture _pres_after %}{% for _line in _lines %}{% assign _trimmed = _line | split: " " | join: " " %}{% if _trimmed != empty or forloop.last %}{% unless forloop.first %}{{ _LINE_FEED }}{% endunless %}{{ _line }}{% endif %}{% endfor %}{% endcapture %}{% else %}{% assign _pres_after = _pres.last | split: " " | join: " " %}{% endif %}{% endif %}{% capture _content %}{{ _content }}{% if _pre_before contains "" %}{% endif %}{% unless _pre_before contains "" and _pres.size == 1 %}{{ _pres_after }}{% endunless %}{% endcapture %}{% endfor %}{% if _profile %}{% assign _profile_collapse = _content | size | plus: 1 %}{% endif %}{% if site.compress_html.clippings == "all" %}{% assign _clippings = "html head title base link meta style body article section nav aside h1 h2 h3 h4 h5 h6 hgroup header footer address p hr blockquote ol ul li dl dt dd figure figcaption main div table caption colgroup col tbody thead tfoot tr td th" | split: " " %}{% else %}{% assign _clippings = site.compress_html.clippings %}{% endif %}{% for _element in _clippings %}{% assign _edges = " ;; ;" | replace: "e", _element | split: ";" %}{% assign _content = _content | replace: _edges[0], _edges[1] | replace: _edges[2], _edges[3] | replace: _edges[4], _edges[5] %}{% endfor %}{% if _profile and _clippings %}{% assign _profile_clippings = _content | size | plus: 1 %}{% endif %}{{ _content }}{% if _profile %}
Step Bytes
raw {{ content | size }}{% if _profile_endings %}
endings {{ _profile_endings }}{% endif %}{% if _profile_startings %}
startings {{ _profile_startings }}{% endif %}{% if _profile_comments %}
comments {{ _profile_comments }}{% endif %}{% if _profile_collapse %}
collapse {{ _profile_collapse }}{% endif %}{% if _profile_clippings %}
clippings {{ _profile_clippings }}{% endif %}
{% endif %}{% endif %} diff --git a/_layouts/default.html b/_layouts/default.html index 33f43328..ee141c10 100644 --- a/_layouts/default.html +++ b/_layouts/default.html @@ -1,7 +1,3 @@ ---- -layout: compress ---- - {% include header.html %} {% include navigation.html %}