Closed joevennix closed 9 years ago
If node-webkit supports it, you might look into adding the Content-Security-Policy meta tag to your templates to prevent inline script from running.
Funny you should mention that. The 1.2.0 version of the app has CSP. It at least pukes an error if that is attempted.
There seems to be a problem with iOS and CSP. It might be a Cordova issue. I'll make sure that's sorted out before I release iOS.
edit: It turns out the CSP just hasn't been merged into the iOS branch. It should be fine by the time it's released.
Ah, now I see you have the meta tag on master: https://github.com/devgeeks/Encryptr/blob/master/www/index.html#L12 I was using 1.1.0 from the website.
That CSP policy seems excessively lax though, you can load any https:// URL. So you can still inject a script with a src of any https:// link...
Problem with this in desktop browser - in permissive Chrome or plain Firefox:
abc"def
and save it"
to abc
(Sorry, my last comment belonged in the PR, not this issue.)
Reproduce:
<script>alert(Object.keys(this))</script>
.Results:
Click to view the password you just saved, you'll get a popup containing:
Unfortunately this script has the full power of node. This is the downside of privileged script in the DOM :(
<script>require('child_process').spawn('touch', ['/tmp/owned'])</script>
etc