Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Loading…

XSS? #102

Open
dvv opened this Issue · 8 comments

5 participants

@dvv

(npm version)

"About me" field allows to include <script>alert('hacked')</script> and it gets executed successfully in when viewing the profile.

Best regards,
--Vladimir

@cliftonc
Owner
@dennishall
Collaborator

That sounds like a good interim solution.

This should probably be partly the job of the content type to declare whether a given field should allow [ no html, filtered html, or full html ] + defined per role. Of course, on further thought, that should probably only apply to textareas, and all other fields should most likely simply disallow any form of html.

@dvv

I think the problem is not in the input, but rather in output. No need to limit user's input (<script>alert('hacked')</script> is a pretty valid description of someone's profile :) really.), but output should always be escaped (maybe at layout template level?).

@dennishall
Collaborator

Good point. I had mistakenly considered this as input filtering. So, to combine your point with mine, the output should be filtered as one of [plain text, filtered html, full html]. This article focuses on your point, but also touches on mine: http://www.lullabot.com/articles/drupal-input-formats-and-filters

@dennishall
Collaborator

Just to round out this conversation a little more, it should be noted that input filtering will probably give better performance for most cases (filter once, on db insert/update, instead of filtering every time it's viewed) - at the cost of some content flexibility. (Depending on the performance difference between input and output filtering, that might be an easy choice for most people.)

@cliftonc cliftonc referenced this issue from a commit
@cliftonc Ensure all fields escaped in output via = rather than - in EJS (as pe…
…r issue #102), need to check across all modules.
9665b3a
@dennishall
Collaborator

One potential method of sanitization - albeit probably heavy+/expensive - might be to use jsdom (+jquerify if needed) to get innerText.

Another potential method - but labor-intensive: port htmLawed to js [http://www.bioinformatics.org/phplabware/internal_utilities/htmLawed]. NOTE: It also has some useful test cases that we might want to run against whatever solution is used.

Similar, but already written in js - This question, http://stackoverflow.com/questions/1637275/simple-html-sanitizer-in-javascript, is answered with a link to a plugin for the 'caja' library: http://code.google.com/p/google-caja/source/browse/trunk/src/com/google/caja/plugin/html-sanitizer.js

@arosboro

I made a modification to use the sanitizer npm module which uses caja as dennishall suggested. Changed the content and user modules to sanitize output. Pull request to follow.

@richtera
Collaborator

The sanitizer stuff causes problems.
Do you know how to configure the sanitizer? I is removing links inside of each post.
So if the post has an <a href="..."> it ends up with <a> only removing href.
I understand that a href can pose a problem but in a CMS you need to be able to post items which have HTML that might be considered problematic since the posts are not just rich text. It looks like the sanitizer assumes we're just dealing with HTML formatted text and not HTML pages.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.