New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Clean input values to prevent XSS vulnerability #4710

Merged
merged 1 commit into from Jun 21, 2018

Conversation

Projects
None yet
2 participants
@srallen
Member

srallen commented Jun 21, 2018

Staging branch URL: https://fix-xss-vulnerability.pfe-preview.zooniverse.org/

Fixes issue brought to our attention from an email to the security group. This must be tested in Firefox. I couldn't get the XSS vulnerability to trigger in Chrome.

The example project:

https://www.zooniverse.org/projects/martenveldthuis/-svg-onload-equals-confirm-xss

This PR adds sanitation to the value that is saved in the project builder so it prevents this from happening in the future. If you make a new project and try to save "'>'"><sVg/oNLoad=confirm(/xss/)>, it will sanitize the value before saving it. However, I haven't figured out how to stop existing projects with this display name from executing the script.

Required Manual Testing

  • Does the non-logged in home page render correctly?
  • Does the logged in home page render correctly?
  • Does the projects page render correctly?
  • Can you load project home pages?
  • Can you load the classification page?
  • Can you submit a classification?
  • Does talk load correctly?
  • Can you post a talk comment?

Review Checklist

  • Does it work in all major browsers: Firefox, Chrome, Edge, Safari?
  • Does it work on mobile?
  • Can you rm -rf node_modules/ && npm install and app works as expected?
  • If the component is in coffeescript, is it converted to ES6? Is it free of eslint errors? Is the conversion its own commit?
  • Are the tests passing locally and on Travis?

Optional

@eatyourgreens eatyourgreens merged commit e56c441 into master Jun 21, 2018

2 checks passed

continuous-integration/travis-ci/pr The Travis CI build passed
Details
continuous-integration/travis-ci/push The Travis CI build passed
Details

@eatyourgreens eatyourgreens deleted the fix-xss-vulnerability branch Jun 21, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment