ToreOlavKristiansen
commented
6 years ago There must be support for displaying the data as html. At least as long as the CKEditor uses the display template of the TextArea field. We implemented data html sanitizing: https://github.com/ToreOlavKristiansen/alpaca/commit/f44ecee2f7a3ef665861ac0b9e0e9383973867b8
Hi,
there are currently at least two Handlebars templates that use
{{{data}}}instead of{{data}}:So, data that is displayed in a
displayview is not escaped and the following code will be executed:</script><script>alert("Owned.")></script>.Note: The first closing script tag is important to exploit this bug. Also
<b>I am bold now!></b>works and the text is displayed in bold type.As search of "
{{{" has 84 results in 42 files. But few usages are critical, since a helper is a static read-only resource and is not user-defined, it should be no problem to interpret it as HTML. A search of "{{{data}}}" has 5 results in 5 files and "{{{value}}}" has 10 results in 7 files. So maybe there are more issues than the two templates above.To test this behavior put the following configuration into the "Source" of this page: docs/fields/text.html. Each time you click "Run", a dialog showing the text "Owned." should appear:
I can not imagine that it is correct for you to interpret
dataas HTML and not as text.In my application, only for the specific case of
displayviews I have overwritten options.view.templates.control-text and options.view.templates.control-textarea with<div>{{data}}</div>to fix this issue. But it would be nice if you could fix the bug in the source code.Thanks!
Update:
The following files are affected:
At least one of the following unsafe uses can be found in any file:
{{{data}}}{{{value}}}{#each data}=>{{{.}}}{{{str data}}}Thank you very much for this great project. Although personally shocked by these templates, the architecture is very good.