Danger for XSS

[bobmulder]

Hi,

This script is weak for XSS-attacks.

Tried to following:

<script>
alert('Hacked: ' + localStorage.getItem('auth-token'));
</script>

Should be fixed on the angular way maybe?

[outsideris]

@bobmulder What do you mean? Do you mean enter the script in summernote editor?

[bobmulder]

@outsideris

I pressed the code button to see the html code. There I added the code from the first post. The result: When I load a page where I use summernote (using that html), the html is executed. In that case an alert was shown.

However, It could be possible this is an summernote-wide issue, instead angular alone...?

[outsideris]

@bobmulder Yes, this is in summernote-side. But, I think it is over summrenote's scope, because summernote is a front-end web editor. You should escape the contents you ennter before you store it database.

If the user enter the code above and change summernote mode to code view, it's not a problem, since the code is entered by the code. It is not XSS-attacks.

[bobmulder]

@outsideris I see your point it's the responsibility of your API (of how you want to call it). But, in my opinion Summernote has a part of the responsibility too...

Take a look at this: https://docs.angularjs.org/api/ngSanitize/service/$sanitize. Would be helpfull to implement I guess?

[outsideris]

@bobmulder I still don't think so, because summernote is a general purpose editor. Somebody use the summernote for a article while others use it for code editor. We can't escape all of it. If you don't want to use codeview, you can hide it. And I think $sanitize is for display something safety in HTML, not editor.

[phamhieu2781]

I has used this. I wish it can help u: $(document).ready(function (){ $(document).on('keyup', '.note-codable', function(){ if($(this).val().indexOf('<script>') > -1){ $(this).val($(this).val().replace('<script>', '')); } }); })