Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

filterXxs shouldn't really be doing these type of 'black-list' transformations #28

Closed
DinisCruz opened this issue Dec 13, 2014 · 1 comment
Closed

Comments

@DinisCruz
Copy link

@DinisCruz DinisCruz commented Dec 13, 2014

I was looking at your tests and noticed https://github.com/hoxton-one/golden-layout/blob/aece036424acf3460d58b06ba1f9fd2108484351/test/xss_tests.js#L2 which uses filterXss form https://github.com/hoxton-one/golden-layout/blob/aece036424acf3460d58b06ba1f9fd2108484351/src/js/utils/utils.js#L153

For example a playload flie onmouseover=alert(42) will pass that filter (and there are tons of other xss corner cases, see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet for a nice list)

In case it help, here is a good XSS reference: https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet

@deepstreamIO
Copy link
Contributor

@deepstreamIO deepstreamIO commented Dec 14, 2014

agreed - and good timing as well. I've just released version 1.0.6 that changes the mechanism by which configuration is passed to new windows from url parameters to localStorage. The only thing that's appended to the URL is the key to the localStorage entry. This should hopefully close the attack vector created by parsing data from the URL in a way more solid fashion than any XSS filtering ever could.

Please re-open the issue if there are still vulnerabilities.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
1 participant