Skip to content

safer construction of popup click handler #1888

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jul 18, 2017
Merged

safer construction of popup click handler #1888

merged 1 commit into from
Jul 18, 2017

Conversation

alexcjohnson
Copy link
Collaborator

Fixes an XSS vulnerability in links defined with the special popup attribute. See the added test case for three variants that were previously able to exploit it.

The fix here constructs the onclick handler in a safer way: it re-extracts href and target from the element attributes, and it restricts the characters allowed in the popup (strWindowFeatures) attribute since we know there's only so much that can be used there.

cc @etpinard @scjody - this bug came in with #1783 which was included in v1.28.0

@etpinard etpinard added status: reviewable bug something broken labels Jul 17, 2017
etpinard
etpinard reviewed Jul 17, 2017
View reviewed changes
src/lib/svg_text_utils.js
dummyAnchor.href = href;
if(PROTOCOLS.indexOf(dummyAnchor.protocol) !== -1) {
nodeSpec.href = href;
nodeSpec.href = encodeURI(href);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nicely done.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

FWIW I couldn't identify any vulnerability due to not calling encodeURI here - quotes and other special characters embedded in href still can't break you out of the href attribute (while constructing the onclick string or otherwise) to where you can cause more damage - but it makes strange items look more url-like.

scjody
scjody approved these changes Jul 18, 2017
View reviewed changes
Copy link

@scjody scjody left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💃 LGTM

@alexcjohnson alexcjohnson merged commit e3eba8a into master Jul 18, 2017
@alexcjohnson alexcjohnson deleted the popup-fix branch July 18, 2017 20:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@scjody scjody scjody approved these changes

+1 more reviewer

@etpinard etpinard etpinard left review comments

Reviewers whose approvals may not affect merge requirements
Assignees
No one assigned
Labels
bug something broken
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@alexcjohnson @scjody @etpinard