XSS on new JSON example.

yesodweb / yesod-scaffold

The Yesod scaffolding, with branches for different versions.

MIT License

76 stars 39 forks source link

XSS on new JSON example. #103

Closed yogsototh closed 9 years ago

yogsototh commented 9 years ago

In the latest JSON support example, if you enter the following comment

<script>alert("Hi!!!");</script>

The script is triggered. It might be a good idea to protect it. I just discovered this. I didn't tried to fix it for now.

yogsototh commented 9 years ago

One simple solution (but not very nice) is to add this function

  var  escapeHtml = function (str) {
                        var div = document.createElement('div');
                        div.appendChild(document.createTextNode(str));
                        return div.innerHTML;
                        };

And to use it later:

        $("##{rawJS commentListId}").append("<li>" + escapeHtml(data.message) + "</li>");

I would certainly prefer the protection to be enforced by the type system thought.

gregwebs commented 9 years ago

Sanitization should be done on the server side whenever possible. @MaxGabriel has been improving the JSON support and will probably be interested in sanitizing this. Having a newtype for sanitizing is easy enough. The only downside is that it means you have to opt-in to using that type. With forms I believe the default is to sanitize everything.

MaxGabriel commented 9 years ago

I would think that the client should sanitize the values from JSON. Part of making a JSON API is that multiple clients can use it; you wouldn't want to sanitize HTML for JSON that goes to an iOS app or is consumed by another server. If the server was to sanitize it probably shouldn't be the default because of this.

gregwebs commented 9 years ago

right, in the general case one cannot XSS sanitize every single input. But generally speaking it is actually rare when there should be any html input at all. There are entire apps that never want HTML input. In these cases where it is known there shouldn't be html then it is a security hazard to have HTML sitting everywhere in your database.

Interestingly, Aeson changelog shows this in a much older version:

Angle brackets are now escaped in JSON strings, to help avoid XSS attacks.

But it doesn't seem like this is still the case.

It is possible to solve this at the level of persistent, but Yesod's goal is to enforce things at the boundaries, and for most use cases that would mean escaping at the boundaries. So I think we need a pattern for adding escaping onto an Aeson parser. What do you think?

gregwebs commented 9 years ago

closed by #106