Skip to content
This repository has been archived by the owner on Feb 12, 2022. It is now read-only.

Clean repeater list extension row content of XSS (fix #1973) #1974

Closed
wants to merge 3 commits into from
Closed

Clean repeater list extension row content of XSS (fix #1973) #1974

wants to merge 3 commits into from

Conversation

swilliamset
Copy link
Contributor

fix #1973

Added unit test structure for multiple known XSS patterns and ease of adding more.

Updated existing clean method to prevent double encoding.

@swilliamset swilliamset requested a review from cmcculloh-kr May 18, 2017 16:41
@swilliamset
Copy link
Contributor Author

@TheJaredWilcurt please review this as well

@swilliamset
Copy link
Contributor Author

After review with @TheJaredWilcurt this needs further discussion.

Between customizing the content of data returned by the dataSource data object or the usage of list_columnRendered option the responsibility of ensuring the data is xss clean is up to the consuming code.

The current approach would be a breaking change. Any markup returned by the dataSource will be encoded and not render. Instead applications would need to sure only straight text is passed via the dataSource and any custom markup (ie a link) should be provided using list_customRendered.

To not be a breaking change cleanUp could include an option for a less strict regex that only matches <script> or agreed upon pattern to recognize unsafe code. This can be super complicated.

Possible options:

  • reject solution entirely - all xss responsibility on consuming code
  • keep solution - document only pure text (no markup) should be returned from dataSource
  • modified solution - only encode unsafe markup returned by dataSource

cc @futuremint @CormacMcCarthy

@swilliamset
Copy link
Contributor Author

Closing as wontfix.

XSS free data is the responsibility of the consuming application. It is recommended to use the dataSource object to insure data is xss free. The cleanInput utility used in this solution could be used to scrub the data.

In the spirit of separation of concerns any markup used to enhance the data (links, icons, etc) should be introduced via the list_columnRendered hook. This will insure dataSource data is markup free.

@swilliamset swilliamset mentioned this pull request May 23, 2017
Merged
@swilliamset swilliamset deleted the fix-xss-in-repeater branch May 23, 2017 17:59
@cmcculloh-kr
Copy link

As we discussed yesterday, I don't believe that dataSource actually should be markup free. I believe that dataSource is where the pre-render actions take place. list_columnRendered is only for things that must take place after something has been rendered to the page (like checking to see if something is visible, or measuring it). Any formatting or html templating should take place prior to attaching to the DOM because of the massive performance hit that doing those things in list_columnRendered (after they have been attached to the DOM) can be. If you have 100 rows, each with 10 columns, then running list_columnRendered 1000 times and doing all of your DOM manipulation there on "data" that has already been attached can and has caused page crashes.

The misnamed, so-called, "dataSource" is really more of a "contentSource". It both gets the data from the server (or itself) and takes care of all of the rendering.

@cmcculloh-kr cmcculloh-kr modified the milestone: 3.16.1 Jun 7, 2017
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@cmcculloh-kr cmcculloh-kr Awaiting requested review from cmcculloh-kr

Assignees
No one assigned
Labels
Wontfix
Projects
None yet
Milestone
3.16.1
Development

Successfully merging this pull request may close these issues.

Repeater row content XSS
2 participants
@swilliamset @cmcculloh-kr