dojo / CVE-2018-6561

To: debian-lts@lists.debian.org
Subject: dojo / CVE-2018-6561
From: Brian May <brian@linuxpenguins.xyz>
Date: Tue, 06 Feb 2018 18:31:33 +1100
Message-id: <[🔎] 877erqwp4a.fsf@prune.linuxpenguins.xyz>

Hello All,

Looking at
https://github.com/imsebao/404team/blob/master/dijit_editor_xss.md:

The complaint appears to be: If I directly enter HTML into the
JavaScript editor using its source mode, I can enter HTML code that
contains JavaScript code, which could lead to an XSS attack.

I tried to reproduce this with the same online editor:
http://demos.dojotoolkit.org/demos/editor/demo.html

However I seem to be unable to find the source mode button.

Lets just assume this complaint is reproducible.

This is a JavaScript application, designed to run entirely - I believe -
in the browser. Hence even if the JavaScript application filtered
dangerous HTML text, the fact remains it is still possible for the user
to override the data submitted and still create XSS attacks.

Hence I believe the only solution for this security bug is that the
server the data is being submitted to must sanitise the HTML to ensure
it is safe (and should already be doing so).

While this might be a bug, I don't believe the failure of a JavaScript
library to validate input is a *security* *bug*, as the server should be
doing this.

Any comments?

Regards
-- 
Brian May <brian@linuxpenguins.xyz>
https://linuxpenguins.xyz/brian/

Reply to:

Follow-Ups:
- Re: dojo / CVE-2018-6561
  - From: Ola Lundqvist <ola@inguza.com>

Prev by Date: upload simplesamlphp
Next by Date: Re: Wheezy update of simplesamlphp?
Previous by thread: Re: upload simplesamlphp
Next by thread: Re: dojo / CVE-2018-6561
Index(es):
- Date
- Thread