search

justin-schroeder / arrow-js

Reactivity without the framework
https://arrow-js.com
MIT License
2.32k stars 50 forks source link

Cross-Site Scripting Vectors (XSS) #78

Open cferdinandi opened 11 months ago

cferdinandi commented 11 months ago

Hi there! From one lightweight reactive library creator to another, nice work!

Just wanted to flag a few XSS vectors not currently blocked by ArrowJS. The first two alerts show up. The third alert (in the svg) and fourth do not. The janky table format is rendered, as is the link which, if opened, runs an attack.

I'm not sure what your rendering and diffing engine looks like under-the-hood, or I'd share a fix, but if you want, feel free to peruse my source code if anything in there is useful to you.

let xss = [
    `<p><img src="x" onerror="alert(1)"></p>`,
    `<p>abc<iframe//src=jAva&Tab;script:alert(2)>def</p>`,
    `<svg><g/onload=alert(3)//<p>`,
    `<math><mi//xlink:href="data:x,<script>alert(4)</script>">`,
    `<TABLE><tr><td>HELLO</tr></TABL>`,
    `<a href="data:text/html;base64,PHNjcmlwdD5hbGVydCgiSGVsbG8iKTs8L3NjcmlwdD4=">test</a>`
];

let template = html`${xss.map(function (elem) {
    return html`${elem}`;
})}`;

template(document.querySelector('#app'));
madelson commented 9 months ago

Will these be fixed?

justin-schroeder commented 9 months ago

Definitely. It actually is fixed in the arrow-refactor-2 branch (as well as a bunch of perf improvements). However, that said, arrow is still an experiment and I’m looking for the right tradeoffs to make. There will likely be a arrow-refactor-3 branch perhaps even a 4th as we try to path find here.

cferdinandi commented 9 months ago

This is also generally only a problem with third party data. Most people don’t XSS attack themselves. Still useful to be aware of.

madelson commented 9 months ago

@justin-schroeder thanks for the update. Do you have a sense of when the next version would be released / how breaking it would be? Is there a good way to follow progress? I'm starting a new project and interested in trying Arrow. Curious what the upcoming changes and timelines are like.

@cferdinandi the code you show has these hard-coded into the templates themselves. I'm more worried about an XSS attack where I include some data as text content and arrow fails to escape it such that it injects tags/behavior onto the page. Have you seen anything like that? Am I thinking about this the right way?

cferdinandi commented 9 months ago

@madelson That's exactly right! I hard-coded them just for example purposes, but in real-life situations, the danger is user-generated or API-derived data that you use in your templates containing malicious code.