Fix profile xss #449
Fix profile xss #449
Conversation
|
@lmarini and I looked together on other possible places related to this bug and realize that sometime it's unnecessary for the frontend template to use @html(). It should just render it as plain text instead of as html tags.
e.g. |
|
Replacing
with
still calls the javascript function. I am going to try writing an escape function that we can use. |
| Logger.debug("File was already in dataset.") | ||
| Logger.debug("Remove file from folders in dataset") | ||
| foldersContainingFile.foreach(folder => { |
There was a problem hiding this comment.
Any reason this logic is needed here?
| @@ -65,7 +65,7 @@ <h1>@profile.fullName</h1> | |||
| } else { | |||
| @if(ownProfile){ | |||
| <div id="prf-first-name" class="text-left inline"> | |||
| <h1 id="first-name-title" class="inline" style="cursor:pointer" title="Click to edit user's first name.">@Html(profile.firstName)</h1> | |||
| <h1 id="first-name-title" class="inline" style="cursor:pointer" title="Click to edit user's first name.">@Html(escapeString("<script>alert('XSS')</script>"))</h1> | |||
There was a problem hiding this comment.
What happen if you just remove the @html() altogether? Like we discussed, this way no html tag should be executed
Ah I just saw your comment above, then the escape function you have might solve the issue.
There was a problem hiding this comment.
Also shouldn't this be profile.firstName still? Looks like you might've pushed an temporary test to this PR.
There was a problem hiding this comment.
Last thing, there might be other places with @html tag, could you also apply the same fix to those?
| @@ -51,7 +51,7 @@ services: | |||
|
|
|||
| # main clowder application | |||
| clowder: | |||
| image: clowder/clowder:${CLOWDER_VERSION:-latest} | |||
| image: clowder:bugfix | |||
There was a problem hiding this comment.
Again this looks like a temp commit, should it revert back to the original image?
you can change the firstName and lastName to include javascript using the endpoint:
localhost:9002/api/users/662eacbe89108d20fb4cab22/updateName?firstName=bb&lastName=<script>alert('XSS')</script>I am using an imported function. This gets rid of the javascript being called, but then the name is blank on the profile page. It may not be the right method for this, or I may be using it wrong.