While replacing innerHTML, protect against XSS attacks

nileshtrivedi / better

Browser extension that suggests better/ethical/local/cheaper alternative products & services than your current tab's URL.

MIT License

89 stars 6 forks source link

While replacing innerHTML, protect against XSS attacks #3

Open nileshtrivedi opened 4 years ago

nileshtrivedi commented 4 years ago

Inside the popup, we want to give an explanation, as well as the names and links of 1 or more alternatives. Current solution is to replace innerHTML but that can enable XSS attacks. Need to think of and implement a better approach.

oxalorg commented 4 years ago

// Use the browser's built-in functionality to quickly and safely escape
// the string
function escapeHtml(str) {
    var div = document.createElement('div');
    div.appendChild(document.createTextNode(str));
    return div.innerHTML;
}

This seems like a decent approach: http://shebang.mintern.net/foolproof-html-escaping-in-javascript/

nileshtrivedi commented 4 years ago

Reopened as Firefox Store complains about the Function constructor and unsafe assignment to innerHTML.

oxalorg commented 4 years ago

Hmm, the innerHTML is actually a safe assignment since we're escaping all the variables. It's probably giving a warning because detecting a function instead of a string.

I'll check if there's a better approach to do things to get rid of these warnings.

BTW can we force publish even with these warnings? 🙈

nileshtrivedi commented 4 years ago

Yes, Mozilla has approved the add-on in its current form. I had written a note about why our implementation is actually safe.