DOM extractor output contains JS that can be executed upon viewing, and is subject to same security risks as viewing WGET output

[p0n1]

I noticed the following descriptions on executing archived JS.

Note: Only the wget extractor method executes archived JS when viewing snapshots, all other archive methods produce static output that does not execute JS on viewing. If you are worried about these issues ^ you should disable the wget extractor method using archivebox config --set SAVE_WGET=False.

Source: https://github.com/ArchiveBox/ArchiveBox#security-risks-of-viewing-archived-js

Workarounds
Disable the wget extractor by setting archivebox config --set SAVE_WGET=False, ensure you are always logged out, or serve only a static HTML version of your archive.

Source: GHSA-cr45-98w9-gwqx

I think the the SAVE_DOM archive method could also lead to the similar issue. When viewing Chrome > HTML ./output.html, any remote javascript will be loaded and executed.

Is that right? If so, we should also document this and remind users to disable this option if they should worry about the XSS/CSRF issue.

[pirate]

You're right, it used to be stripped before we expanded it to be the full outerHTML with <head>, but it I didn't realize it became included when we changed that. Good catch, thanks!

I updated the CVE GHSA-cr45-98w9-gwqx CVE-2023-45815, README.md, and Security Overview Wiki page.