This library isn't safe to use, I could inject a javascript code in it and it rendered to my admin view which might allow hackers to have access to all my admin capabilities.
This issue makes the whole library unusable to me especially that the json data we're storing are coming from parties we can't trust.
What I Did
[.] I put a javascript code in the json field I have. e.g. <script> alert('hi'); </script>
[.] Set the widget for that field to be JSONEditorWidget on admin
[.] Opened the change page for the object with that field, and the javascript was executed, which shouldn't
I think the cause of the issue is the following code in the library:
As you can see, you use |safe on the value of the widget, which you shouldn't do. I've tried removing the |safe filter but that made the json to not load at all!
<div {% if not widget.attrs.style %}style="height:{{widget.height|default:'500px'}};width:{{widget.width|default:'90%'}};display:inline-block;"{% endif %}{% include "django/forms/widgets/attrs.html" %}></div>
<textarea id="{{widget.attrs.id}}_textarea" name="{{ widget.name }}" required="" style="display: none">{{ widget.value }}</textarea>
<script>
(function() {
var container = document.getElementById("{{ widget.attrs.id }}");
var textarea = document.getElementById("{{widget.attrs.id}}_textarea");
var options = {{ widget.options|safe }};
options.onChange = function () {
var json = editor.get();
textarea.value=JSON.stringify(json);
}
var editor = new JSONEditor(container, options);
var json = {{ widget.value|safe }};
editor.set(json);
})();
</script>
Description
This library isn't safe to use, I could inject a javascript code in it and it rendered to my admin view which might allow hackers to have access to all my admin capabilities.
This issue makes the whole library unusable to me especially that the json data we're storing are coming from parties we can't trust.
What I Did
[.] I put a javascript code in the json field I have. e.g.
<script> alert('hi'); </script>
[.] Set the widget for that field to beJSONEditorWidget
on admin [.] Opened the change page for the object with that field, and the javascript was executed, which shouldn'tI think the cause of the issue is the following code in the library: As you can see, you use
|safe
on the value of the widget, which you shouldn't do. I've tried removing the|safe
filter but that made the json to not load at all!