-
-
Notifications
You must be signed in to change notification settings - Fork 419
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
DOM-based XSS vulnerability in the Get Things Done Activity #160
Comments
Nice. |
The XSS attack can be handled by replacing any text ,that appears to be code(HTML/CSS/JavaScript) |
Code of Get Things Done activity is located https://github.com/llaske/sugarizer/tree/dev/activities/GetThingsDone.activity |
Would it be fixed by just encoding HTML? For example, turning " |
@nepaltechguy2 I suppose yes. |
Fixed DOM XSS via htmlencode, issue #160
Fixed in aec4166 |
Closing the issue, since it's fixed. |
If you type HTML/CSS/JavaScript code as a to-do list item, it runs perfectly and can even be used to modify elements of the UI.
Here's how to replicate:
Open the "Get Things Done" Activity
Copy and paste the following as an item in the To-Do list, and enjoy watching the UI get ruined:
Here's how I think this can be fixed:
When enter is pressed, use JavaScript to generate an iframe whose contents will be the text (or code) entered in the textarea. This will make sure the styles are applied only to what's there inside the box and not what's in the rest of the UI.
This should help in the implementation:
https://www.tutorialrepublic.com/faq/how-to-insert-html-content-into-an-iframe-using-jquery.php
https://www.tutorialrepublic.com/codelab.php?topic=faq&file=jquery-inject-html-into-an-iframe-from-the-textarea
The text was updated successfully, but these errors were encountered: