docsy icon indicating copy to clipboard operation
docsy copied to clipboard
verified publisher icon google

PrismJS is outdated and prone to DOM XSS

Open BradHolmes opened this issue 3 years ago • 6 comments

A checkmarx scan of our docsy-themed documentation turned up a reported Client DOM XSS vulnerability in static/js/prims.js. It reports:

The application's o embeds untrusted data in the generated output with element, at line 120 of .../static/js/prism.js. This untrusted data is embedded straight into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the output.

The problematic 'o' method:

function o(e) {
    l.highlightedCode =  e, M.hooks.run("before-insert", l), l.element.innerHTML = l.highlightedCode, M.hooks.run("after-highlight", l), M.hooks.run("complete", l), t && t.call(l.element)

I see that static/js/prism.js appears to be a hard-coded copy of approximately v1.21.0 of primsjs. But it isn't clear where exactly it came from. Should it be pulled in dynamically as an npm dependency? Or alternatively, a small change is made to static/js/prims.js to sanitize e before inserting it into the DOM?

BradHolmes avatar Jul 27 '22 13:07 BradHolmes

@chalin what do you think?

LisaFC avatar Jul 27 '22 16:07 LisaFC

Thanks @BradHolmes for reporting this. Yes we should fix this. I'd vote for switching over to using a CDN. Any objections @LisaFC?

chalin avatar Jul 27 '22 16:07 chalin

No objections here!

LisaFC avatar Jul 27 '22 18:07 LisaFC

+1 for CDN

emckean avatar Jul 27 '22 21:07 emckean

Is there anything I can do to help make this switch to CDN?

BradHolmes avatar Aug 02 '22 15:08 BradHolmes

Looking into this a bit more, and reading about how Docsy provides Prism support, I'd like to suggest that we simply update the Prism JS and CSS files to the current version (1.28.0 atm).

chalin avatar Aug 09 '22 17:08 chalin