editing security

[kesar]

we need to play with the API / UI to ensure people cant inject malicious JS on wiki creation or break layout with weird CSS.

review js, using iframes, using CSS, etc.

this task requires understand possible XSS / JS attacks and create a framework for testing it.

review that they can't inject game also other metadata fields besides wiki content.

this task is before the BrainPASS NFT launch

[Emmanueldmlr]

• https://www.stackhawk.com/blog/react-xss-guide-examples-and-prevention/

Our Use case

• https://medium.com/taptuit/exploiting-xss-via-markdown-72a61e774bf8
• https://github.com/showdownjs/showdown/wiki/Markdown's-XSS-Vulnerability-(and-how-to-mitigate-it)
• https://medium.com/javascript-security/avoiding-xss-via-markdown-in-react-91665479900

Packages https://github.com/cure53/DOMPurify https://marked.js.org/#/README.md#README.md https://github.com/bevacqua/insane https://github.com/apostrophecms/sanitize-html

Checks https://cheatsheetseries.owasp.org/cheatsheets/XSS_Filter_Evasion_Cheat_Sheet.html

[AshakaE]

WYSIWYG does a pretty good job of parsing html as texts, although there are some issues with iframe. Our editor does not render iframes but if it contains an src attribute with any url, it renders the link. I think that's a good start point. Also would we be testing the final render as shown on the wiki page or the string input ? @kesar

[kesar]

both, probably its easier to test string input than wiki page, i would need to think abit more about that

[kesar]

what has been the progress on this task? any repository i can take a look?

[Emmanueldmlr]

For me, I have been doing a bit of research on the task. I recently moved to other urgent tasks. I plan to sync up with @AshakaE later today to get an update from him.

[AshakaE]

I actually haven't worked much on it but a PR should be up before the end of today