Hello All, Looking at https://github.com/imsebao/404team/blob/master/dijit_editor_xss.md:
The complaint appears to be: If I directly enter HTML into the JavaScript editor using its source mode, I can enter HTML code that contains JavaScript code, which could lead to an XSS attack. I tried to reproduce this with the same online editor: http://demos.dojotoolkit.org/demos/editor/demo.html However I seem to be unable to find the source mode button. Lets just assume this complaint is reproducible. This is a JavaScript application, designed to run entirely - I believe - in the browser. Hence even if the JavaScript application filtered dangerous HTML text, the fact remains it is still possible for the user to override the data submitted and still create XSS attacks. Hence I believe the only solution for this security bug is that the server the data is being submitted to must sanitise the HTML to ensure it is safe (and should already be doing so). While this might be a bug, I don't believe the failure of a JavaScript library to validate input is a *security* *bug*, as the server should be doing this. Any comments? Regards -- Brian May <[email protected]> https://linuxpenguins.xyz/brian/
