Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Reduce risk of XSS #1051

Merged
merged 5 commits into from Nov 20, 2016
Merged

Reduce risk of XSS #1051

merged 5 commits into from Nov 20, 2016

Conversation

Rob--W
Copy link
Contributor

@Rob--W Rob--W commented Nov 9, 2016
edited

Prism and its plugins sometimes mixes potentially unsafe input with HTML. In the worst case, this may lead to a XSS vulnerabilities, especially when prism is used to highlight external code.

See the individual commits for the fixes. If you decide to merge them all, don't squash the commits as doing so may obscure the relation between the commit message and the fix.

@Rob--W Rob--W force-pushed the attribute-hardening branch 2 times, most recently from 2507f75 to d8c6062 Compare November 9, 2016 18:23
@Rob--W Rob--W mentioned this pull request Nov 9, 2016
Closed
@Rob--W Rob--W changed the title Skip non-own properties of env.attributes Reduce risk of XSS Nov 9, 2016
@Rob--W
Skip non-own properties of env.attributes
804a8d9 
Use `Object.keys` instead of a for-in loop to find optional attributes.
The former only grabs keys that are own properties, the latter also
includes inherit properties from `Object.prototype`.
This reduces the risk of XSS if an attacker somehow manages to
manipulate the prototype chain of the Object prototype.
@Rob--W
Fix root cause of XSS in autolinker plugin PrismJS#1054
c4009cf
@Rob--W
command-line plugin: Safely encode attributes
4fe65cf 
If an attacker has control over the values of the attributes
"data-prompt", "data-user", or "data-host", then XSS was possible.
This fixes the issue, by encoding quotes as the `"` entity.
@Rob--W
show-language plugin: innerHTML -> textContent
2d1b989 
There is no need for `innerHTML` here. At best nothing happens,
at worst XSS is possible (though the odds are negligible since
the attacker would have to control the detected language).
@Rob--W
toolbar plugin: innerHTML -> textContent
058a99a
@Rob--W
Copy link
Contributor Author

Rob--W commented Nov 20, 2016

(rebased because of conflicts in toolbar-plugin.min.js)

@Golmote Can you take a look at this PR and merge it? I tweeted @LeaVerou, but she probably overlooked it.

@Golmote Golmote merged commit 17e33bc into PrismJS:gh-pages Nov 20, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@Rob--W @Golmote