Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use jQuery's text() instead of html() where safer #3779

Merged
merged 3 commits into from
Oct 21, 2019
Merged

Conversation

javierm
Copy link
Member

@javierm javierm commented Oct 20, 2019

Background

Using html() makes it possible to insert <script> tags in the DOM, so it shouldn't be done unless we're 100% sure the content is safe. While the content is safe in most cases, since it's already escaped by Rails, there are a couple of places where there's a remote chance of the content not being safe.

Objectives

Reduce the (small) chances of XSS attacks because of the way we manipulate the DOM.

Notes

The same happens with many jQuery methods, like append or insertBefore. After reviewing the code, I haven't identified a place where these methods might be potentially dangerous.

@javierm javierm added the security Pull requests that address a security vulnerability label Oct 20, 2019
@javierm javierm self-assigned this Oct 20, 2019
@javierm javierm changed the base branch from sanitize_description to master October 21, 2019 18:18
@javierm javierm changed the title Use jQuery's text() instead of html() where possible Use jQuery's text() instead of html() where safer Oct 21, 2019
Doing so will cause the `<span>` tag to be rendered in the document,
instead of being rendered as a data attribute.
Using html() makes it possible to insert <script> tags in the DOM, and
in this case we aren't supposed to be inserting any HTML.

I haven't found a way to focus on a field with Capybara, then add a
character, and focus on another field. So I've manually triggered the
change event in the test.
The jQuery html() function does not filter <script> tags, so if somehow
an attacker introduced a <script> in the translation, we would be
vulnerable to a XSS attack.

Note using $.parseHTML wouldn't solve the problem, since it doesn't
filter attributes in image tags.

Since changing the text of the part which doesn't have the count wasn't
very clean, I've added another <span> tag for the part with the
description, and so we can use jQuery's text() function to replace it.
@javierm javierm merged commit a871379 into master Oct 21, 2019
@javierm javierm deleted the jquery_xss branch October 21, 2019 19:18
smarques pushed a commit to venetochevogliamo/consul that referenced this pull request Apr 29, 2020
Use jQuery's text() instead of html() where safer
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
security Pull requests that address a security vulnerability
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant