Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

DOM-based XSS vulnerability in the Get Things Done Activity #160

Closed
aryan-02 opened this issue Dec 23, 2017 · 7 comments
Closed

DOM-based XSS vulnerability in the Get Things Done Activity #160

aryan-02 opened this issue Dec 23, 2017 · 7 comments
Labels
Milestone

Comments

@aryan-02
Copy link
Contributor

If you type HTML/CSS/JavaScript code as a to-do list item, it runs perfectly and can even be used to modify elements of the UI.
Here's how to replicate:
Open the "Get Things Done" Activity
Copy and paste the following as an item in the To-Do list, and enjoy watching the UI get ruined:

<style>*{background:red!important;border: 5px solid green!important; transition: all 0.5s; }*:hover{transform: scale(1.01)translateX(5px)}</style> <button style="color:white!important;background:black!important;" onclick="alert('Hello World')">Click Me!</button>

Here's how I think this can be fixed:
When enter is pressed, use JavaScript to generate an iframe whose contents will be the text (or code) entered in the textarea. This will make sure the styles are applied only to what's there inside the box and not what's in the rest of the UI.
This should help in the implementation:
https://www.tutorialrepublic.com/faq/how-to-insert-html-content-into-an-iframe-using-jquery.php
https://www.tutorialrepublic.com/codelab.php?topic=faq&file=jquery-inject-html-into-an-iframe-from-the-textarea

@llaske llaske added the bug label Dec 23, 2017
@llaske
Copy link
Owner

llaske commented Dec 23, 2017

Nice.
Not in favor of fixing by iframe, it's not a good practice.

@conscioustahoe
Copy link

The XSS attack can be handled by replacing any text ,that appears to be code(HTML/CSS/JavaScript)
by replacing it with an empty string.

@llaske
Copy link
Owner

llaske commented Oct 21, 2018

Code of Get Things Done activity is located https://github.com/llaske/sugarizer/tree/dev/activities/GetThingsDone.activity

@samyok
Copy link
Contributor

samyok commented Oct 26, 2018

Would it be fixed by just encoding HTML?

For example, turning "&" into "&amp;", "<" to "&lt;", etc.

@aryan-02
Copy link
Contributor Author

@nepaltechguy2 I suppose yes.

llaske added a commit that referenced this issue Oct 28, 2018
Fixed DOM XSS via htmlencode, issue #160
@llaske llaske added this to the v1.1 milestone Oct 28, 2018
@llaske
Copy link
Owner

llaske commented Oct 28, 2018

Fixed in aec4166

@aryan-02
Copy link
Contributor Author

Closing the issue, since it's fixed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

4 participants