[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

dojo / CVE-2018-6561

Hello All,

Looking at

The complaint appears to be: If I directly enter HTML into the
JavaScript editor using its source mode, I can enter HTML code that
contains JavaScript code, which could lead to an XSS attack.

I tried to reproduce this with the same online editor:

However I seem to be unable to find the source mode button.

Lets just assume this complaint is reproducible.

This is a JavaScript application, designed to run entirely - I believe -
in the browser. Hence even if the JavaScript application filtered
dangerous HTML text, the fact remains it is still possible for the user
to override the data submitted and still create XSS attacks.

Hence I believe the only solution for this security bug is that the
server the data is being submitted to must sanitise the HTML to ensure
it is safe (and should already be doing so).

While this might be a bug, I don't believe the failure of a JavaScript
library to validate input is a *security* *bug*, as the server should be
doing this.

Any comments?

Brian May <brian@linuxpenguins.xyz>

Reply to: