Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

trace() output not escaped properly before rendered into web page #81

Open
Jens-G opened this issue Apr 2, 2015 · 4 comments
Open

trace() output not escaped properly before rendered into web page #81

Jens-G opened this issue Apr 2, 2015 · 4 comments

Comments

@Jens-G
Copy link

Jens-G commented Apr 2, 2015

http://try.haxe.org/#e9c1E

     trace('<script>alert("yo man")</script>');

This leads to an alert() being shown, which should not happen.
Instead, the string should be printed into the output window.

@Jens-G Jens-G changed the title trace() output not filtered properly before rendered into web page trace() output not escaped properly before rendered into web page Apr 2, 2015
@markknol
Copy link
Contributor

markknol commented Apr 3, 2015

This is a bug in https://github.com/markknol/console-log-viewer I'll fix this soon.

@markknol
Copy link
Contributor

markknol commented Apr 3, 2015

It now logs html-tags correct: http://try.haxe.org/#F659f

BUT it does not solve what's happening here.

The <script> inside the log create/close the script tag on the page, so it's correct you see half of the code and an illegal token error.
It's basically does the same when you create this html-page:

<script><script>alert('yo man')</script> bla bla</script>

This writes the everything after the first </script> on the page.

@clemos Should we blacklist something like this too? Since you can now break the script tag premature; I'm not sure if this is a potential security issue too.

@clemos
Copy link
Owner

clemos commented Apr 3, 2015

I guess I should not inline the generated JS in the "runner" iframe, that's all.
I'll look into that.

@Jens-G
Copy link
Author

Jens-G commented Apr 3, 2015

Thanks for looking at this,. Two remarks:

a) In console.log("<div>alert(yo man\")</div>"); the closing div tag should be escaped too: console.log("<div>alert(yo man\")<\/div>");

Reference: https://mathiasbynens.be/notes/etago

b) Re security: Whenever I'm able to inject code into a page like we have it here, I'd recommend to always treat it as security relevant, even when it actually seems not to be an exploitable thing. Why? Two reasons:

  • it is hard to know how that code is going to be used in the future, and at some day it may become security relevant, but nobody will notice it until someone actually exploits it and does some real damage.
  • people are f*ing damn creative when it comes to craft exploits, beyond your wildest imaginations. The problem we face here is mainly that of what is called "the unknown unknowns": you don't know what you don't know, and thus may overlook a weak point in the entire security concept.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants