PhleXSS #712
joeldrapper
started this conversation in
General
PhleXSS
#712
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
This is pretty embarrassing. We just published the third security advisory for Phlex this year (GHSA-9p57-h987-4vgx). 🙈
After the first two (GHSA-g7xq-xv8c-h98c and GHSA-242p-4v39-2v8g) which were kindly reported to us by members of the community, we invested in extensive browser tests, and those tests helped us find these last few issues.
It turns out browsers are incredibly permissive about how they interpret attributes that can execute JavaScript. We were testing Phlex code but we didn’t have the infrastructure in place to test how browsers interpret it. And it’s, honestly, insane what you can get away with.
I believe these new tests cover everything, but in case I’ve missed something else, I’m offering a $500 bounty for the next serious security issue.
I want Phlex to be the safest way to render HTML on a Ruby server, and these edge cases demonstrate just how difficult it is to correctly sanitise user input.
It’s worth noting that no other templating language or view component system for Ruby can even attempt to protect against these issues, since they don’t understand the structure of markup on the server. ERB, HAML, Slim, ActionView, ViewComponent are all vulnerable to the same attacks. We consider them vulnerabilities while they don’t because we can protect against them and they can’t.
If you’re interested in the new browser tests, you can see them here.
— Joel
Beta Was this translation helpful? Give feedback.
All reactions