search

jmrivas86 / django-json-widget

An alternative widget that makes it easy to edit the new Django's field JSONField (PostgreSQL specific model fields)
MIT License
433 stars 88 forks source link

Major Security Issue #62

Closed OmarGitHubDev closed 11 months ago

OmarGitHubDev commented 2 years ago

Description

This library isn't safe to use, I could inject a javascript code in it and it rendered to my admin view which might allow hackers to have access to all my admin capabilities.

This issue makes the whole library unusable to me especially that the json data we're storing are coming from parties we can't trust.

What I Did

[.] I put a javascript code in the json field I have. e.g. <script> alert('hi'); </script> [.] Set the widget for that field to be JSONEditorWidget on admin [.] Opened the change page for the object with that field, and the javascript was executed, which shouldn't

I think the cause of the issue is the following code in the library: As you can see, you use |safe on the value of the widget, which you shouldn't do. I've tried removing the |safe filter but that made the json to not load at all!

<div {% if not widget.attrs.style %}style="height:{{widget.height|default:'500px'}};width:{{widget.width|default:'90%'}};display:inline-block;"{% endif %}{% include "django/forms/widgets/attrs.html" %}></div>

<textarea id="{{widget.attrs.id}}_textarea" name="{{ widget.name }}" required="" style="display: none">{{ widget.value }}</textarea>

<script>
    (function() {
        var container = document.getElementById("{{ widget.attrs.id }}");
        var textarea = document.getElementById("{{widget.attrs.id}}_textarea");

        var options = {{ widget.options|safe }};
        options.onChange = function () {
            var json = editor.get();
            textarea.value=JSON.stringify(json);
        }

        var editor = new JSONEditor(container, options);
        var json = {{ widget.value|safe }};
        editor.set(json);
    })();
</script>