Reduce risk of XSS #1051

merged 5 commits into from Nov 20, 2016


None yet

2 participants

Rob--W commented Nov 9, 2016 edited

Prism and its plugins sometimes mixes potentially unsafe input with HTML. In the worst case, this may lead to a XSS vulnerabilities, especially when prism is used to highlight external code.

See the individual commits for the fixes. If you decide to merge them all, don't squash the commits as doing so may obscure the relation between the commit message and the fix.

@Rob--W Rob--W changed the title from Skip non-own properties of env.attributes to Reduce risk of XSS Nov 9, 2016
Rob--W added some commits Nov 9, 2016
@Rob--W Rob--W Skip non-own properties of env.attributes
Use `Object.keys` instead of a for-in loop to find optional attributes.
The former only grabs keys that are own properties, the latter also
includes inherit properties from `Object.prototype`.
This reduces the risk of XSS if an attacker somehow manages to
manipulate the prototype chain of the Object prototype.
@Rob--W Rob--W Fix root cause of XSS in autolinker plugin #1054 c4009cf
@Rob--W Rob--W command-line plugin: Safely encode attributes
If an attacker has control over the values of the attributes
"data-prompt", "data-user", or "data-host", then XSS was possible.
This fixes the issue, by encoding quotes as the `"` entity.
@Rob--W Rob--W show-language plugin: innerHTML -> textContent
There is no need for `innerHTML` here. At best nothing happens,
at worst XSS is possible (though the odds are negligible since
the attacker would have to control the detected language).
@Rob--W Rob--W toolbar plugin: innerHTML -> textContent 058a99a
Rob--W commented Nov 20, 2016

(rebased because of conflicts in toolbar-plugin.min.js)

@Golmote Can you take a look at this PR and merge it? I tweeted @LeaVerou, but she probably overlooked it.

@Golmote Golmote merged commit 17e33bc into PrismJS:gh-pages Nov 20, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment