dbolack-ab
commented
8 months ago I have seen a lot of concern about exploits via remote CSS, etc. Should not the same concerns apply here? Even without snippet sharing it seems precarious.
Open G-Ambatte opened 3 years ago
dbolack-ab
commented
8 months ago I have seen a lot of concern about exploits via remote CSS, etc. Should not the same concerns apply here? Even without snippet sharing it seems precarious.
5e-Cleric
commented
8 months ago As user snippets' CSS are scoped to the document iframe, there is no possibility of a CSS exfiltration or other kind of exploit. There is no data to steal apart from the url for our stylesheets, which is open anyway.
So that css would not touch the Homebrewery, just the rendered iframe.
ericscheid
commented
8 months ago If a script is executed within the brew's preview iframe, then that script has access to both cookies and localStorage. The user's authentication is stored in a cookie. (Tested by hand-writing a <button> inside the preview iframe via the Inspector).
That said, I don't know in which context the script runs — is it the css file, is it the iframe, is it the exploit .htc pr .xbl file?
I don't know, and I really don't want us to find out the hard way.
https://stackoverflow.com/questions/476276/using-javascript-in-css
5e-Cleric
commented
8 months ago But we sanitize the CSS and markdown anyway, this css or markdown for the user snippets is not a bigger vulnerability than the style tab itself!
dbolack-ab
commented
4 months ago I'm going to suggest we not touch this issue but users can do so with TamperMonkey. We can even go so far as to build a usable framework stub.
From the subreddit today (https://www.reddit.com/r/homebrewery/comments/pyg427/your_own_code_snippets): a suggestion for Users to be able to add their own custom Snippets to the SnippetBar.
I suspect that this would be an ideal use case for the UserInfo framework.