fix xss bug on tooltip initialize #853

Open
wants to merge 1 commit into
from

4 participants

@clod81

Tooltip doesn't sanitize html when initialized, even though the html passed is already sanitized.
I found a patch from here, but probably a pull request was never done.
OtaK/foundation@eb68779

@clod81

example of bug (mouse over the image to trigger):

http://jsfiddle.net/tNm8d/

@clod81

guess the possibility to accept raw html could be made optional, but by default I think is too risky for this kind of bugs. Html could be allowed only if user does not have direct control of the input fed to tooltip component

@sjankis

I understand the concern.
I just want to make the point that, as well as fixing the bug where escaped html in title was getting executed,
this fix also removes the ability to deliberately put unescaped html in title.
I think it's user's responsibility to sanitize input, so I'd prefer to see escaped and unescaped html treated differently.
However, there is still next-element mechanism for creating rich tooltips, so it's not that big a deal.

@clod81

Did you see example? http://jsfiddle.net/tNm8d/
The input is escaped, but the code is still executed

@Iiridayn

I would be pleased even if only with a configuration option that triggers this patch, even if off by default. I would of course prefer on by default as a security measure, but I don't know what opposition that would face. I was honestly surprised to find a security hole in this library and expected that our site was merely out of date or misconfigured.

@Iiridayn

Off topic, but is it possible to patch a pull request (eg, to add a setting)? With git I would just checkout the master repo, pull and merge the commit, add another commit, and request a pull from there - does this work in github? I can't seem to figure out how the ui supports it, and I've spent about as much time as I can justify (to my boss) on this.

@clod81

You need to fork the project first, then do your patch, then do a pull request.
That is what I did, but my pull request has never been considered, because it's not a concerne for the owner of the project.

@donmerlin

Read all the comments, and just have one short one to add of my own. Because this issue has been reported as a security issue by IBM IT, it makes it difficult for some people (e.g., me) to get permission to use it. So, please, pull the patch into the release, provide whatever options to make people happy, but I would love to see the security issue closed. Here's the link: http://xforce.iss.net/xforce/xfdb/78122

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment