You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I noticed the following descriptions on executing archived JS.
Note: Only the wget extractor method executes archived JS when viewing snapshots, all other archive methods produce static output that does not execute JS on viewing. If you are worried about these issues ^ you should disable the wget extractor method using archivebox config --set SAVE_WGET=False.
I think the the SAVE_DOM archive method could also lead to the similar issue. When viewing Chrome > HTML ./output.html, any remote javascript will be loaded and executed.
Is that right? If so, we should also document this and remind users to disable this option if they should worry about the XSS/CSRF issue.
The text was updated successfully, but these errors were encountered:
You're right, it used to be stripped before we expanded it to be the full outerHTML with <head>, but it I didn't realize it became included when we changed that. Good catch, thanks!
pirate
changed the title
Description on archived Javascript
DOM extractor output contains JS that can be executed upon viewing, and is subject to same security risks as viewing WGET output
Nov 4, 2023
I noticed the following descriptions on executing archived JS.
Source: https://github.com/ArchiveBox/ArchiveBox#security-risks-of-viewing-archived-js
Source: GHSA-cr45-98w9-gwqx
I think the the
SAVE_DOM
archive method could also lead to the similar issue. When viewingChrome > HTML ./output.html
, any remote javascript will be loaded and executed.Is that right? If so, we should also document this and remind users to disable this option if they should worry about the XSS/CSRF issue.
The text was updated successfully, but these errors were encountered: