-
Notifications
You must be signed in to change notification settings - Fork 713
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Make use trusted-types #2408
Comments
They're mostly of the form: element.innerHTML = '<span class="icon-label">' + element.dataset.labelLoading + '</span>'; ... so they just pull data attributes stuff from elsewhere in the dom. You'd have to XSS a value into the data attribute for this to be an XSS. |
The issue isn't that the current usage of |
Those examples are easy enough to replace theses examples with code that uses |
You're vastly overestimating my javascript fluency: I'm a simple security engineer, those javascript vagaries confuse and frighten me. |
I understand the desire to have a type system solve XSS, but there's a good reason math teachers make you learn first principals first. This kind of method is also discussed in the documentation for trusted types... which makes me think you're on here telling someone to use a library when you haven't even read its docs... (though the example for that method ... messes up the escaping in the article and shows a broken image, which is absolutely amazing to me): Edit: linked to the docs |
I'm a security engineer at Google, I sit right next to the people who designed trusted-types, and shipped them into Chrome :p I'm pretty well versed in its threat model and deployment, it's just that I do suck at javascript. But anyway, once I'm done rampaging through the go codebase, odds are that I'll tackle this issue myself, if nobody else does it before. |
@jvoisin That's handy! Can you let them know about that doc bug i mentioned? I couldn't find a way of reporting it without a google account :( |
XSS are still somehow a plague in 2024, but luckily we have some ways to mitigate them:
The main blocker for trusted-types adoption is the pervasive usage of
.innerHTML
in app.js:it shouldn't be too hard™ to replace those with non-injectable sinks. I think it would make a great low-hanging/easy issue for anyone knowing javascript and wanting to contribute to miniflux.
Having trusted-types support in miniflux would prevent DOM-XSS in miniflux' own javascript code, but in its dependencies as well.
The only remaining issues are:
handleFetchOriginalContent
inapp.js
:bootstrap.js
.the
src
being defined in a template as<script src="{{ route "javascript" "name" "service-worker" "checksum" .sw_js_checksum }}" defer id="service-worker-script"></script>
, but I don't think we want to use templating in the javascript files.The text was updated successfully, but these errors were encountered: