diff --git a/README.md b/README.md index d332f1be..0c45f1e4 100644 --- a/README.md +++ b/README.md @@ -120,8 +120,13 @@ _(v1.0 - v1.16)_ Script server _is_ vulnerable to these attacks. _(v1.17+)_ -Script server is protected against XSRF attacks via a special token. -XSS protection TBD. +Script server is protected against XSRF attacks via a special token. +XSS protection: the code is written according to +[OWASP Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html) +and the only **known** vulnerabilities are: + +* `output_format`=`html_iframe`, see the reasoning in the + linked [Wiki page]((https://github.com/bugy/script-server/wiki/Script-config#output_format)) ## Contribution diff --git a/samples/scripts/html_output_test.py b/samples/scripts/html_output_test.py index c0cc198b..5cf9398a 100755 --- a/samples/scripts/html_output_test.py +++ b/samples/scripts/html_output_test.py @@ -187,7 +187,7 @@ -
+

social

- +Test XSS + + + ''' print(text) diff --git a/web-src/src/common/components/terminal/html/HtmlOutput.js b/web-src/src/common/components/terminal/html/HtmlOutput.js index 57149616..a2806d79 100644 --- a/web-src/src/common/components/terminal/html/HtmlOutput.js +++ b/web-src/src/common/components/terminal/html/HtmlOutput.js @@ -1,4 +1,5 @@ -import {addClass} from '@/common/utils/common' +import {addClass, destroyChildren} from '@/common/utils/common' +import DOMPurify from 'dompurify' export class HtmlOutput { constructor() { @@ -16,7 +17,10 @@ export class HtmlOutput { } write(text) { - this.element.innerHTML += text + this.rawText += text + + destroyChildren(this.element) + this.element.appendChild(DOMPurify.sanitize(this.rawText, {RETURN_DOM_FRAGMENT: true})) } removeInlineImage(outputPath) {