New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

filterXxs shouldn't really be doing these type of 'black-list' transformations #28

Closed
DinisCruz opened this Issue Dec 13, 2014 · 1 comment

Comments

Projects
None yet
2 participants
@DinisCruz

DinisCruz commented Dec 13, 2014

I was looking at your tests and noticed https://github.com/hoxton-one/golden-layout/blob/aece036424acf3460d58b06ba1f9fd2108484351/test/xss_tests.js#L2 which uses filterXss form https://github.com/hoxton-one/golden-layout/blob/aece036424acf3460d58b06ba1f9fd2108484351/src/js/utils/utils.js#L153

For example a playload flie onmouseover=alert(42) will pass that filter (and there are tons of other xss corner cases, see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet for a nice list)

In case it help, here is a good XSS reference: https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet

@ghost

This comment has been minimized.

Show comment
Hide comment
@ghost

ghost Dec 14, 2014

Contributor

agreed - and good timing as well. I've just released version 1.0.6 that changes the mechanism by which configuration is passed to new windows from url parameters to localStorage. The only thing that's appended to the URL is the key to the localStorage entry. This should hopefully close the attack vector created by parsing data from the URL in a way more solid fashion than any XSS filtering ever could.

Please re-open the issue if there are still vulnerabilities.

Contributor

ghost commented Dec 14, 2014

agreed - and good timing as well. I've just released version 1.0.6 that changes the mechanism by which configuration is passed to new windows from url parameters to localStorage. The only thing that's appended to the URL is the key to the localStorage entry. This should hopefully close the attack vector created by parsing data from the URL in a way more solid fashion than any XSS filtering ever could.

Please re-open the issue if there are still vulnerabilities.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment