This repository has been archived by the owner. It is now read-only.

CSS injection vulnerabilities #300

Closed
jamesknelson opened this Issue Aug 23, 2017 · 1 comment

Comments

Projects
None yet
2 participants
@jamesknelson
Copy link

jamesknelson commented Aug 23, 2017

  • glamorous version: all (as far as I can tell)
  • glamor version: all (as far as I can tell)
  • react version: all (as far as I can tell)

Glamorous is currently vulnerable to CSS injection vulnerabilities.

As an example, you can change the background color of the page via props on Div elements:

const textColor = `white;}
  body {
    background-color: purple;
  }
  .x{color: red`

<Div color={textColor}>
  Hello!
</Div>

Reproduction:

https://codesandbox.io/s/4x56prkp64

Problem description:

If a malicious user is able to feed props into Glamorous components on a page that a target user is viewing, they can inject any styles they'd like into the target's page.

This can result in defacing your app/website, capturing keystrokes in fields, finding the characters used in a certain HTML element, or in the case of IE9, possibly even arbitrary JavaScript execution.

Suggested solution:

I feel like {, } and " (at minimum) should probably be escaped. However, I'm not yet experienced enough with glamorous to understand whether that would cause other problems?

@kentcdodds

This comment has been minimized.

Copy link
Member

kentcdodds commented Aug 23, 2017

Hi @jamesknelson! Thanks for bringing this up. It's really a concern of glamor (the library responsible for inserting CSS into the browser). And I expect that if you were to ask @threepointone about it, he'd say that you should be escaping user input yourself. It's pretty rare that user input is used in styles, so I don't expect it to be a major issue. If you are concerned about it, then you could write a glamor plugin to do the escaping for you with just a few lines of code.

I'm 99% certain we wont be making any changes to glamorous, and I'm fairly certain that glamor wont be making changes to account for this, but @threepointone can weigh in if he's interested.

Thanks again! If you do create a plugin to do this, then I think you could add an example to the glamorous examples (like this one).

Thanks! And good luck!

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.