F-Droid aims to give app developers a nice way to present their apps to users. Each app can include descriptions, related metadata, and translations. We have just updated the list of HTML formatting tags that are allowed in app descriptions to make it clearer what works and what does not. This should make it easier to sync the description texts with other app stores that also allow some HTML. There are two key changes to the website generation:

• Disallowed HTML tags are now automatically removed (“stripped”), whereas before they were escaped (e.g. <script>).
• The list of allowed tags is now strictly enforced.

This change was prompted by some security issues in Loofah, the tool we rely on to strip dangerous HTML from the app descriptions. f-droid.org uses multiple layers of defense, that greatly limits the scope of security vulnerabilities. For example, this site includes a Content Security Policy that disables the most dangerous features, and limits the rest to URLs that are part of this site.

For those interested in the technical details: HTML allows data blobs to be included inline via the data: scheme. That can then be abused to load malicious things. Loofah was not properly handling those. This site’s Content Security Policy already disallows all uses of data:, so it was not an issue here. The self keyword means “only allow resources from the current origin”, and that is https://f-droid.org.