Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
XSS protection - hook on runtime vnode patching?
See original GitHub issueWhat problem does this feature solve?
The following code is vulnerable to XSS attacks:
<a :href="untrusted_data">
<p v-html="untrusted_data"></p>
<img :onload="untrusted_data" :onerror="untrusted_data">
Web devs can do filtering in application level, via custom filters. However there are problems too:
- Application code could have no knowledge of runtime, is it running in browsers/weex/… ?
- There might be human errors, e.g. a newcomer of dev group fails to apply proper filter to an untrusted field.
What really interests me is xss filtering in renderer or vnode level, while being kept transparent to application code.
What does the proposed API look like?
Vue.vnodeHooks.prepatch(vnode => {}), called before patching, for every vnode.
const getAttribute = (vnode, attr) => {
const val = vnode.data && vnode.data.attrs && vnode.data.attrs[attr]
return val
}
const setAttribute = (vnode, attr, val) => {
vnode.data.attrs[attr] = val
}
const getInnerHTML = (vnode) => {
const html = vnode.data && vnode.data.domProps && vnode.data.domProps.innerHTML
return html
}
const setInnerHTML = (vnode, html) {
vnode.data.domProps.innerHTML = html
}
// called before patching for every vnode
Vue.vnodeHooks.prepatch((vnode) => {
// ignore components
if (vnode.componentInstance) {
return
}
// remove onload/onerror string
const onload = getAttribute(vnode, 'onload')
const onerror = getAttribute(vnode, 'onerror')
if (typeof onload === 'string') {
setAttribute('onload', '')
} else if (typeof onerror === 'string') {
setAttribute('onerror', '')
}
// redirect javascript href to 404
if (vnode.tag === 'a') {
const href = getAttribute(vnode, 'href')
if (typeof href === 'string' && /^\s*javascript:/i.test(href)) {
setAttribute(vnode, 'href', '/404')
}
}
// sanitize html
const html = getInnerHTML(vnode)
if (typeof html === 'string') {
setInnerHTML(
vnode,
sanitize(html)
)
}
})
Issue Analytics
- State:
- Created 5 years ago
- Comments:7 (5 by maintainers)
Top Results From Across the Web
X-XSS-Protection - HTTP - MDN Web Docs
The HTTP X-XSS-Protection response header is a feature of Internet Explorer, Chrome and Safari that stops pages from loading when they ...
Read more >Protect from cross-site scripting attacks - IBM Garage Practices
In a cross-site scripting (XSS) attack, an attacker injects HTML markup or JavaScript into the affected web application's front-end client.
Read more >DOM based XSS Prevention - OWASP Cheat Sheet Series
The XSS Prevention Cheatsheet does an excellent job of addressing Reflected and Stored XSS. This cheatsheet addresses DOM (Document Object Model) based XSS...
Read more >React XSS Guide: Examples and Prevention - StackHawk
One such vulnerability is cross-site scripting (XSS). In this post, you'll understand what XSS is and how it impacts your users.
Read more >Learning More About Cross Site Scripting - K2 Cyber Security
A great start for XSS security is using runtime application security. The latest draft version of the NIST Framework for SP 800-53 now ......
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Btw, this is what I have so far in our upcoming security guide regarding this specific issue:
Feedback welcome. 🙂
@OpenGG I do mention event attributes like that. 🙂