barryWhiteHat
commented
7 years ago Possibly http://jsxss.com/en/index.html could be used to prevent this.
var xss = require('xss');
var html = xss('<script>alert("xss");</script>');
console.log(html);Closed barryWhiteHat closed 7 years ago
barryWhiteHat
commented
7 years ago Possibly http://jsxss.com/en/index.html could be used to prevent this.
var xss = require('xss');
var html = xss('<script>alert("xss");</script>');
console.log(html);
It is possible for an attacker to place some malicious JS in a string that is stored as the description text of a proposal. This text once downloaded by the UI may be included in html that the users browser renders. An attacker could use malicious js to send transactions from a users unlocked account.
I have been trying to create proof of concept but it seems that react is causing the js i inject to be intemperate as HTML. But its likely that an attacker could find a way to do this. So I suggest we require that all data from the ethereum node be validated so that key js charictors
<script> <\script>are dereferenced to\<script\> \<\\script\>. I can find a nice library to do this if you people don't have one you prefer. I think there will be a wave of attacks exploiting this once several apps go main stream.Credit for this one also goes to @vsimetka . For more information see https://github.com/Giveth/milestonetracker-ui/issues/4 which is another but i found while trying to do this injection.
Thoughts on this would be appreciated.