search

elm / virtual-dom

The foundation of HTML and SVG in Elm.
https://package.elm-lang.org/packages/elm/virtual-dom/latest
BSD 3-Clause "New" or "Revised" License
209 stars 80 forks source link

`</script>` in string literals is not escaped for embedding elm.js directly in HTML #176

Open mkoppmann opened 3 years ago

mkoppmann commented 3 years ago

The Elm runtime crashes when </script> is used. Other XSS examples are correctly encoded.

Minimal example:

import Html exposing (text)
main = text "</script>"

Result:

_Platform_export({'Main':{'init':_VirtualDom_init($author$project$Main$main)(0)(0)}});}(this));

  var app = Elm.Main.init({ node: document.getElementById("elm") });
}
catch (e)
{
  // display initialization errors (e.g. bad flags, infinite recursion)
  var header = document.createElement("h1");
  header.style.fontFamily = "monospace";
  header.innerText = "Initialization Error";
  var pre = document.getElementById("elm");
  document.body.insertBefore(header, pre);
  pre.innerText = e;
  throw e;
}

Working example:

import Html exposing (text)
main =  text "<a href=\"javascript://%0Aalert('XSS');\">XSS</a>"

Result (correctly encoded):

<a href="javascript://%0Aalert('XSS');">XSS</a>

This happens in the Elm Playground, with elm reactor or builds created by elm make.

User input is also correctly encoded. This happens only for </script> when it’s used at compile-time.