snapweb icon indicating copy to clipboard operation
snapweb copied to clipboard

Published 20 hours ago verified publisher icon badaix

HTML input is not sanitized

Open gianklug opened this issue 2 years ago • 6 comments

You can use any HTML as and can even inject javascript by using <img src="broken" onerror="your_js_code"></img>. If many users are using snapweb, this could be considered a security issue.

gianklug avatar Nov 19 '21 13:11 gianklug

Where and how you can use any HTML?

badaix avatar Nov 19 '21 15:11 badaix

In the Device nickname field

gianklug avatar Nov 19 '21 15:11 gianklug

True, seems that the readme is still valid :)

This web client is the author's first JavaScript/TypeScript project and is rather a proof of concept for the Snapserver's WebSocket API.

badaix avatar Nov 19 '21 15:11 badaix

is this issue mentioned only reflecting to client side java script or even to server side?

nanderer avatar Jan 09 '22 23:01 nanderer

I didn't check the server part, however I am able to display javascript alerts or open popups on a friends pc using snapweb like this.

nanderer @.***> schrieb am Mo., 10. Jan. 2022, 00:31:

is this issue mentioned only reflecting to client side java script or even to server side?

— Reply to this email directly, view it on GitHub https://github.com/badaix/snapweb/issues/36#issuecomment-1008446645, or unsubscribe https://github.com/notifications/unsubscribe-auth/AMGSKD5BOJQHKT6NVHQENF3UVILGDANCNFSM5IMGDBEA . You are receiving this because you authored the thread.Message ID: @.***>

gianklug avatar Jan 10 '22 06:01 gianklug

The server doesn't interpret any JavaScript, it just serves files within the doc root directory

badaix avatar Jan 10 '22 10:01 badaix