node-red-dashboard icon indicating copy to clipboard operation
node-red-dashboard copied to clipboard
verified publisher icon node-red

User can inject JavaScript code into the text node which can cause security issues( Cross-Site Scripting)

Open GowriAradhya opened this issue 3 years ago • 0 comments

What are the steps to reproduce?

Drag Dashboard Text Node and inject node into the Node-red workspace . Click on Edit text node and add value format value as {{constructor.constructor('alert(document.cookie)')()}}.

What happens?

Malicious script code can be injected permanently into the Node-red. Using injected code, an user could, for example, steal Node Red identifiers of any other sensitive information.

What do you expect to happen?

when Data in JavaScript format is injected to text node output must be converted to string .

Please tell us about your environment:

  • [ x] Node-RED-Dashboard version: 3.1.2
  • [ x] Node-RED version: 2.1.4
  • [ x] node.js version: 14.18.2
  • [ ] npm version:
  • [x] Platform/OS: docker
  • [ x ] Browser: Chrome

GowriAradhya avatar Aug 05 '22 08:08 GowriAradhya