Tokamak icon indicating copy to clipboard operation
Tokamak copied to clipboard

Published 20 hours ago verified publisher icon TokamakUI

Sanitation of User Input

Open ezraberch opened this issue 3 years ago • 1 comments

Many web applications allow for custom content shared between users, such as user comments. Failure to sanitize that content can lead to security issues. #421 adds some basic sanitation functionality, but only in a very specific context. The problem is far broader.

To see the issue, go to the TextField section of the demo and paste this in the first text field: <a onMouseOver="alert('Arbitrary JavaScript Executed')">Some Text</a>

Mousing over the rendered text will execute the injected JavaScript.

This can be protected against at the app level, but it is best not to rely on that, especially since this isn't an issue in a traditional SwiftUI app.

While text displayed should be sanitized by default, it is important to provide a mechanism for app developers to disable this functionality when required (for text coming from specific trusted users, for example). It would also be beneficial to define multiple sanitation levels/strategies; it might be desirable to allow things like <b> while still filtering out custom JavaScript.

ezraberch avatar Jul 09 '21 14:07 ezraberch

DOMPurify is a good lib for this

aehlke avatar Sep 19 '23 15:09 aehlke