injection vulnerability

[hohwille]

In case a user of grow does something like growl.error(errorMessageWithUserInput) then the client gets vulnerable for injection and XSS. This way an evil hacker can read cookies and send it to evil sites. IMHO growl should already prevent such vulnerability e.g. by using $sanitize (https://docs.angularjs.org/api/ngSanitize/service/$sanitize). Filtering/escaping all markup would also be fine for me but maybe some growl users like to do injection of markup such as ul, string, em, etc. in growl messages.

[flippinjoe]

Maybe I'm misunderstanding where your problem is. In growlMessageService.js Line: 101

message.text = $sce.trustAsHtml(String(message.text));

Which all messages pass through this before being displayed. Are you saying that this logic is being bypassed in certain situations?

[dgsmith2]

@morgenes noticed this vulnerability as well. If the message contains user supplied text, scripts can be run when the message is displayed (e.g., <script>console.log('gotcha')</script>). We take advantage of the fact messages are rendered as HTML because we want to have working links in our messages. To combat the XSS we are using Lodash's _.escape() on user-supplied input that is rendered in a message.