Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cross-Site Scripting Vectors (XSS) #78

Open
cferdinandi opened this issue Jul 22, 2023 · 5 comments
Open

Cross-Site Scripting Vectors (XSS) #78

cferdinandi opened this issue Jul 22, 2023 · 5 comments

Comments

@cferdinandi
Copy link

Hi there! From one lightweight reactive library creator to another, nice work!

Just wanted to flag a few XSS vectors not currently blocked by ArrowJS. The first two alerts show up. The third alert (in the svg) and fourth do not. The janky table format is rendered, as is the link which, if opened, runs an attack.

I'm not sure what your rendering and diffing engine looks like under-the-hood, or I'd share a fix, but if you want, feel free to peruse my source code if anything in there is useful to you.

let xss = [
	`<p><img src="x" onerror="alert(1)"></p>`,
	`<p>abc<iframe//src=jAva&Tab;script:alert(2)>def</p>`,
	`<svg><g/onload=alert(3)//<p>`,
	`<math><mi//xlink:href="data:x,<script>alert(4)</script>">`,
	`<TABLE><tr><td>HELLO</tr></TABL>`,
	`<a href="data:text/html;base64,PHNjcmlwdD5hbGVydCgiSGVsbG8iKTs8L3NjcmlwdD4=">test</a>`
];

let template = html`${xss.map(function (elem) {
	return html`${elem}`;
})}`;

template(document.querySelector('#app'));
@madelson
Copy link

madelson commented Sep 8, 2023

Will these be fixed?

@justin-schroeder
Copy link
Owner

Definitely. It actually is fixed in the arrow-refactor-2 branch (as well as a bunch of perf improvements). However, that said, arrow is still an experiment and I’m looking for the right tradeoffs to make. There will likely be a arrow-refactor-3 branch perhaps even a 4th as we try to path find here.

@cferdinandi
Copy link
Author

This is also generally only a problem with third party data. Most people don’t XSS attack themselves. Still useful to be aware of.

@madelson
Copy link

@justin-schroeder thanks for the update. Do you have a sense of when the next version would be released / how breaking it would be? Is there a good way to follow progress? I'm starting a new project and interested in trying Arrow. Curious what the upcoming changes and timelines are like.

@cferdinandi the code you show has these hard-coded into the templates themselves. I'm more worried about an XSS attack where I include some data as text content and arrow fails to escape it such that it injects tags/behavior onto the page. Have you seen anything like that? Am I thinking about this the right way?

@cferdinandi
Copy link
Author

@madelson That's exactly right! I hard-coded them just for example purposes, but in real-life situations, the danger is user-generated or API-derived data that you use in your templates containing malicious code.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@madelson @cferdinandi @justin-schroeder