Use a whitelist for XHTML-IM elements and attributes

candy-chat / candy

JavaScript-based multi-user chat client for XMPP.

http://candy-chat.github.io/candy

MIT License

1.32k stars 370 forks source link

Use a whitelist for XHTML-IM elements and attributes #445

Open linkmauve opened 8 years ago

linkmauve commented 8 years ago

The current method makes it trivial to execute scripts for any attacker, e.g. by sending <img src="something" onerror="alert('Hello XSS')"/> in a room.

http://xmpp.org/extensions/xep-0071.html defines a subset of elements alongside their attributes, I highly recommend you to whitelist only those and to ignore any other element or attribute you come across.

benlangfeld commented 8 years ago

Thank you for the report @linkmauve. Do you think you might be able to propose a fix?

attritionorg commented 7 years ago

Can you confirm if this was fixed? If so, a link to the commit and/or fixing version? Also if this is related to https://github.com/candy-chat/candy/issues/498?

benlangfeld commented 7 years ago

No-one has yet proposed a fix.