Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Prevent XSS #266

Open
csarven opened this issue Nov 29, 2018 · 3 comments
Open

Prevent XSS #266

csarven opened this issue Nov 29, 2018 · 3 comments
Labels
bug

Comments

@csarven
Copy link
Member

csarven commented Nov 29, 2018

Some XSS prevention rules mentioned at https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet ( archived: https://web.archive.org/web/20181129114024/https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet ) can be implemented. Labeling this issue as bug because we didn't systematically address this. Only in parts.
@csarven csarven added the bug label Nov 29, 2018
@csarven
Copy link
Member Author

csarven commented Apr 1, 2019
edited

Perhaps use something like https://github.com/cure53/DOMpurify or https://github.com/apostrophecms/sanitize-html

@csarven
Copy link
Member Author

csarven commented Mar 10, 2024

Added DOMPurify ( https://github.com/search?q=repo%3Alinkeddata%2Fdokieli+dompurify&type=commits ) and using it in a few places. It is an improvement. It needs more reviewing and updating. For example, what to do with openResource case where on one hand we want to be able to open an arbitrary document document for editing and viewing but we also want to sanitize the markup for bad stuff.

dokieli/src/dokieli.js

Lines 5695 to 5700 in 64a80f7

//XXX: Revisit DOMPurify. This removes... pretty much everything. We don't necessarily want to completely get rid of styles (`link` or `style` tags). `script` tag and perhaps `style` attribute could perhaps be filtered - not sure if that's something we want to keep. Definitely do not remove RDF attributes (DO.C.RDFaAttributes).
// var sT = [...DO.C.MediaTypes.Markup, ...['text/plain', 'application/xhtml+xml']];
// if (sT.includes(options['contentType'])) {
// data = DOMPurify.sanitize(data);
// console.log(DOMPurify.removed)
// }

Leave this issue open or create new issues based on chaos?

@csarven
Copy link
Member Author

csarven commented Mar 10, 2024

Another question is whether something like DOMPurify should be done at a lower level, in the first callbacks before passing it to other functions?

It needs to be limited to markup languages and possibly also plain text, otherwise it seems to mess up some of the concrete RDF syntaxes.

By default it gets rid of script, so any document with a data island (<script type="application/ld+json">) would immediately be lost in that case. Yet another great feature of hidden/grey metadata.. tsk tsk.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@csarven