[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: dojo / CVE-2018-6561

Hi Brian

I tend to agree with your analysis.

Source edit mode seems to be a separate module.

I do not know whether that one is included or not.
According to that module page it has filtering support to filter out
such things to avoid XSS attacks.

I agree with you that the server side that the data is posted to, also
need to do validation of the contents as you can not trust a client
side security check.
I think we can mark this as ignored as this is more of a minor security problem.

Best regards

// Ola

On 6 February 2018 at 08:31, Brian May <brian@linuxpenguins.xyz> wrote:
> Hello All,
> Looking at
> https://github.com/imsebao/404team/blob/master/dijit_editor_xss.md:
> The complaint appears to be: If I directly enter HTML into the
> JavaScript editor using its source mode, I can enter HTML code that
> contains JavaScript code, which could lead to an XSS attack.
> I tried to reproduce this with the same online editor:
> http://demos.dojotoolkit.org/demos/editor/demo.html
> However I seem to be unable to find the source mode button.
> Lets just assume this complaint is reproducible.
> This is a JavaScript application, designed to run entirely - I believe -
> in the browser. Hence even if the JavaScript application filtered
> dangerous HTML text, the fact remains it is still possible for the user
> to override the data submitted and still create XSS attacks.
> Hence I believe the only solution for this security bug is that the
> server the data is being submitted to must sanitise the HTML to ensure
> it is safe (and should already be doing so).
> While this might be a bug, I don't believe the failure of a JavaScript
> library to validate input is a *security* *bug*, as the server should be
> doing this.
> Any comments?
> Regards
> --
> Brian May <brian@linuxpenguins.xyz>
> https://linuxpenguins.xyz/brian/

 --- Inguza Technology AB --- MSc in Information Technology ----
/  ola@inguza.com                    Folkebogatan 26            \
|  opal@debian.org                   654 68 KARLSTAD            |
|  http://inguza.com/                Mobile: +46 (0)70-332 1551 |
\  gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9  /

Reply to: