Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use jQuery's text() instead of html() where safer #3779

Merged
merged 3 commits into from
Oct 21, 2019
Merged

Use jQuery's text() instead of html() where safer #3779

merged 3 commits into from
Oct 21, 2019

Conversation

javierm
Copy link
Member

@javierm javierm commented Oct 20, 2019
edited
Loading

Background

Using html() makes it possible to insert <script> tags in the DOM, so it shouldn't be done unless we're 100% sure the content is safe. While the content is safe in most cases, since it's already escaped by Rails, there are a couple of places where there's a remote chance of the content not being safe.

Objectives

Reduce the (small) chances of XSS attacks because of the way we manipulate the DOM.

Notes

The same happens with many jQuery methods, like append or insertBefore. After reviewing the code, I haven't identified a place where these methods might be potentially dangerous.

@javierm javierm added the security Pull requests that address a security vulnerability label Oct 20, 2019
@javierm javierm self-assigned this Oct 20, 2019
@javierm javierm added this to Reviewing in Roadmap via automation Oct 20, 2019
@javierm javierm changed the base branch from sanitize_description to master October 21, 2019 18:18
@javierm javierm changed the title Use jQuery's text() instead of html() where possible Use jQuery's text() instead of html() where safer Oct 21, 2019
@javierm
Don't sanitize <span> tags in HTML attributes
31c2379 
Doing so will cause the `<span>` tag to be rendered in the document,
instead of being rendered as a data attribute.
@javierm
Use text() instead of html()
d61e8cb 
Using html() makes it possible to insert <script> tags in the DOM, and
in this case we aren't supposed to be inserting any HTML.

I haven't found a way to focus on a field with Capybara, then add a
character, and focus on another field. So I've manually triggered the
change event in the test.
@javierm
Avoid using html() to set languages description
7f1bfc6 
The jQuery html() function does not filter <script> tags, so if somehow
an attacker introduced a <script> in the translation, we would be
vulnerable to a XSS attack.

Note using $.parseHTML wouldn't solve the problem, since it doesn't
filter attributes in image tags.

Since changing the text of the part which doesn't have the count wasn't
very clean, I've added another <span> tag for the part with the
description, and so we can use jQuery's text() function to replace it.
@javierm javierm moved this from Reviewing to Testing in Roadmap Oct 21, 2019
@javierm javierm merged commit a871379 into master Oct 21, 2019
Roadmap automation moved this from Testing to Release 1.1.0 Oct 21, 2019
@javierm javierm deleted the jquery_xss branch October 21, 2019 19:18
smarques pushed a commit to venetochevogliamo/consul that referenced this pull request Apr 29, 2020
@javierm
Merge pull request consuldemocracy#3779 from consul/jquery_xss
4c16a08 
Use jQuery's text() instead of html() where safer
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@javierm javierm

Labels
security Pull requests that address a security vulnerability
Projects
No open projects
Roadmap
  
Release 1.1.0
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
1 participant
@javierm