#245 #79 protected "html" outputFormat against XSS attacks

bugy · Apr 18, 2021 · 293d2a1 · 293d2a1
1 parent 4b48020
commit 293d2a1
Show file tree

Hide file tree

Showing 3 changed files with 18 additions and 6 deletions.
diff --git a/README.md b/README.md
@@ -120,8 +120,13 @@ _(v1.0 - v1.16)_
 Script server _is_ vulnerable to these attacks.
 
 _(v1.17+)_  
-Script server is protected against XSRF attacks via a special token.    
-XSS protection TBD.
+Script server is protected against XSRF attacks via a special token.      
+XSS protection: the code is written according to
+[OWASP Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html)
+and the only **known** vulnerabilities are:
+
+* `output_format`=`html_iframe`, see the reasoning in the
+  linked [Wiki page]((https://github.com/bugy/script-server/wiki/Script-config#output_format))
 
 ## Contribution
 

diff --git a/samples/scripts/html_output_test.py b/samples/scripts/html_output_test.py
@@ -187,7 +187,7 @@
     </ul>
   </div><!-- /.blogroll -->
 
-  <div class="social" style="float: right; width: 175px;">
+  <div class="social" style="float: right; width: 175px;" onload=alert('test1')>
 
     <h2 style="color: #C74350; font-size: 1.429em; margin-bottom: .25em; padding: 0 3px;">social</h2>
     <ul  style="list-style: none; margin: 0;">
@@ -208,7 +208,10 @@
     </ul>
   </div><!-- /.social -->
 </section><!-- /#extras -->
-
+<a href="javascript:alert('a-href)">Test XSS<a>
+<a href="javascript:alert('event-source')"><event-source src="data:application/x-dom-event-stream,Event:click%0Adata:XXX%0A%0A" /></a>
+<img src="javascript:alert('img')">
+<img src="http://url.to.file.which/not.exist" onerror=alert(document.cookie);>
 '''
 
 print(text)
diff --git a/web-src/src/common/components/terminal/html/HtmlOutput.js b/web-src/src/common/components/terminal/html/HtmlOutput.js
@@ -1,4 +1,5 @@
-import {addClass} from '@/common/utils/common'
+import {addClass, destroyChildren} from '@/common/utils/common'
+import DOMPurify from 'dompurify'
 
 export class HtmlOutput {
     constructor() {
@@ -16,7 +17,10 @@ export class HtmlOutput {
     }
 
     write(text) {
-        this.element.innerHTML += text
+        this.rawText += text
+
+        destroyChildren(this.element)
+        this.element.appendChild(DOMPurify.sanitize(this.rawText, {RETURN_DOM_FRAGMENT: true}))
     }
 
     removeInlineImage(outputPath) {