KirillOsenkov
commented
7 years ago Thanks for logging this. Unfortunately I have no idea about this (beginner web dev). Do you have a fix in mind, or what are the potential implications of the attack?
Closed guylando closed 7 years ago
KirillOsenkov
commented
7 years ago Thanks for logging this. Unfortunately I have no idea about this (beginner web dev). Do you have a fix in mind, or what are the potential implications of the attack?
guylando
commented
7 years ago Well .innerText instead of .innerHTML prevents the code from being executed so the question is if you really want the code to be rendered as html and if so then maybe you can whitelist the tags you want to allow and then html encode all the string and string replace only the encoded whitelisted tags back to their unencoded form. I would classify this as a minor or even informational vulnerability since there is no simple way to trigger it and it affects the domain of your specific site which is probably just a demo domain so its insignificant.
guylando
commented
7 years ago I now tested execution with
<aaa"<h1>aa
and saw that the server encodes the response so the client side problem is dealt with by the server so I am closing this
KirillOsenkov
commented
7 years ago OK, cool, thanks for letting me know.
The setResult function has the line: container.innerHTML = data; Where the data is the response from the server operating on the input value which I am pretty sure can be html.