New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

URL input is written into web page. #602

Closed
GrainGenes opened this Issue Jun 5, 2015 · 5 comments

Comments

Projects
None yet
4 participants
@GrainGenes

GrainGenes commented Jun 5, 2015

I am developing the use of Jbrowse in GrainGenes and T thinking about how to dynamically generate some of JSON files for serving Jbrowse. I wanted to test that it was possible to insert a ? into the requested URL.
http://jbrowse.org/code/JBrowse-1.11.6/?data=?%3Ca%20href=%27http://yahoo.com%27%3EYahoo%3C/a%3E shows a link. This can be extended into XSS.
This loads an error page, since rather than requesting a json file, it requests a folder. Further, the error code does not filter htm tags and displays a link.

Thanks,
Sayer

@cmdcolin

This comment has been minimized.

Contributor

cmdcolin commented Jun 5, 2015

Good catch

I think this is an example of a "non persistent" XSS, which is not the super bad kind of XSS, but should still be fixed. The super bad ("persistent") case is where it stays on the page even if they don't click a specially crafted link.

see http://en.wikipedia.org/wiki/Cross-site_scripting#Reflected_.28non-persistent.29

A similar thing was noted here #570 but this makes it more obvious.

@vivekkrish

This comment has been minimized.

Contributor

vivekkrish commented Feb 26, 2016

@GrainGenes , InterMine has developed functionality to serve out JBrowse compatible configs + data from the warehouse, in accordance with the JBrowse REST specifications.
See docs:
http://intermine.readthedocs.org/en/latest/webapp/third-party-tools/jbrowse/
https://intermine.readthedocs.org/en/selinium/web-services/how-tos/set-up-jbrowse/

An example, view all FlyMine data in JBrowse: http://jbrowse.org/code/JBrowse-1.12.0/?data=http://www.flymine.org/query/service/jbrowse/config/7227

Is this the sort of capability you are thinking about implementing?

Even if the URL developed by you, that is capable of serving JBrowse compatible data had "?" in it, with some clever Apache mod_rewrite functionality, you could normalize (or clean) out the URLs and have them be REST-like.

Does that sound reasonable, or am I way off base in interpreting your issue?

@cmdcolin

This comment has been minimized.

Contributor

cmdcolin commented Feb 26, 2016

@vivekkrish I think the issue is the XSS

The cross domain data thing like FlyMine is awesome but it is also technically a touchy issue too

For example, http://jbrowse.org/code/JBrowse-1.11.6/?data=http://genomes.missouri.edu/cdiesh/data&tracks=Genes

@cmdcolin

This comment has been minimized.

Contributor

cmdcolin commented Feb 26, 2016

Maybe there's another thing that GrainGenes was also looking for in terms of functionality that I didn't see in this post (e.g the ? in url)?

@rbuels

This comment has been minimized.

Collaborator

rbuels commented Jan 30, 2018

Just need to html-entity encode error messages in the error page.

@rbuels rbuels modified the milestones: 1.12.4, 1.12.5 Feb 2, 2018

@rbuels rbuels closed this in a95f2b8 Feb 20, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment