Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Fix JavaScript encoding issue #858

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
bennetelli merged 1 commit into from
Oct 7, 2022
Merged

Fix JavaScript encoding issue #858

bennetelli merged 1 commit into from
Oct 7, 2022

Conversation

@BeLi4L
Copy link
Contributor

@BeLi4L BeLi4L commented Oct 6, 2022

Actually fixes #849

The issue was: we encoded the JS script before saving it, therefore making it corrupted (& became &, etc.).

Now, we store the raw JS sent by the client in DB, and only when DISPLAYING the value, we sanitize it to prevent XSS.

Please tell me if there's another XSS issue somewhere, because apart from the main page, I didn't think of anything else ;)

fix JS script encoding issue
81c6693 
Properly fix the old XSS bug: store the raw value in DB (so that actual JS can be executed), and sanitize it when displaying it on the main page.
@BeLi4L BeLi4L mentioned this pull request Oct 6, 2022
Closed
@codecov-commenter
Copy link

codecov-commenter commented Oct 6, 2022

Codecov Report

Base: 55.35% // Head: 55.15% // Decreases project coverage by -0.19% ⚠️

Coverage data is based on head (81c6693) compared to base (4f456ee).
Patch coverage: 0.00% of modified lines in pull request are covered.

Additional details and impacted files 
@@             Coverage Diff              @@
##             master     #858      +/-   ##
============================================
- Coverage     55.35%   55.15%   -0.20%     
  Complexity      893      893              
============================================
  Files           175      176       +1     
  Lines          4482     4498      +16     
  Branches        587      587              
============================================
  Hits           2481     2481              
- Misses         1839     1855      +16     
  Partials        162      162
Impacted Files Coverage Δ
...ogglz/console/handlers/index/IndexPageHandler.java 11.53% <0.00%> (-0.97%) ⬇️
...z/console/handlers/index/SanitizeHtmlRenderer.java 0.00% <0.00%> (ø)
.../java/org/togglz/console/model/ParameterModel.java 0.00% <0.00%> (ø)

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

☔ View full report at Codecov.
📢 Do you have feedback about the report comment? Let us know in this issue.

@BeLi4L
Copy link
Contributor Author

BeLi4L commented Oct 7, 2022

@bennetelli If you have any questions, please don't hesitate to ask 😉

Just to be clear, this adds a way to sanitize the HTML passed to the template engine, using the ${param;sanitizeHtml} syntax instead of the raw ${param}. I didn't find any docs on doing this XSS-prevention directly within JMTE, which is really a shame for a template engine, even a "minimal" one 😅

bennetelli
bennetelli reviewed Oct 7, 2022
View reviewed changes
console/src/main/resources/org/togglz/console/index.html
${foreach feature.strategy.parameters param}
${if param.hasValue}
<li>${param.label}: ${param.value}</li>
<li>${param.label}: ${param.value;sanitizeHtml}</li>
Copy link
Member

@bennetelli bennetelli Oct 7, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@BeLi4L does this work? That looks wrong somehow

Copy link
Contributor Author

@BeLi4L BeLi4L Oct 7, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yet that's the official JMTE syntax:

It uses the renderer name (here sanitizeHtml) defined in SanitizeHtmlRender.java

Copy link
Contributor Author

@BeLi4L BeLi4L Oct 7, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

And yes it works, I tested on my machine, the custom renderer is called, and it prevents XSS on the main page, when displaying the script ;)

Copy link
Member

@bennetelli bennetelli Oct 7, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Okay thanks :) the syntax looks a bit weird.
Thanks for your PR :)

@bennetelli bennetelli merged commit b02e225 into togglz:master Oct 7, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bennetelli bennetelli bennetelli left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

JavaScripting API: encoding issue

3 participants

@BeLi4L @codecov-commenter @bennetelli