Hi Brian I tend to agree with your analysis.
Source edit mode seems to be a separate module. https://dojotoolkit.org/reference-guide/1.10/dijit/_editor/plugins/ViewSource.html I do not know whether that one is included or not. According to that module page it has filtering support to filter out such things to avoid XSS attacks. I agree with you that the server side that the data is posted to, also need to do validation of the contents as you can not trust a client side security check. I think we can mark this as ignored as this is more of a minor security problem. Best regards // Ola On 6 February 2018 at 08:31, Brian May <[email protected]> wrote: > Hello All, > > Looking at > https://github.com/imsebao/404team/blob/master/dijit_editor_xss.md: > > The complaint appears to be: If I directly enter HTML into the > JavaScript editor using its source mode, I can enter HTML code that > contains JavaScript code, which could lead to an XSS attack. > > I tried to reproduce this with the same online editor: > http://demos.dojotoolkit.org/demos/editor/demo.html > > However I seem to be unable to find the source mode button. > > Lets just assume this complaint is reproducible. > > This is a JavaScript application, designed to run entirely - I believe - > in the browser. Hence even if the JavaScript application filtered > dangerous HTML text, the fact remains it is still possible for the user > to override the data submitted and still create XSS attacks. > > Hence I believe the only solution for this security bug is that the > server the data is being submitted to must sanitise the HTML to ensure > it is safe (and should already be doing so). > > While this might be a bug, I don't believe the failure of a JavaScript > library to validate input is a *security* *bug*, as the server should be > doing this. > > Any comments? > > Regards > -- > Brian May <[email protected]> > https://linuxpenguins.xyz/brian/ > -- --- Inguza Technology AB --- MSc in Information Technology ---- / [email protected] Folkebogatan 26 \ | [email protected] 654 68 KARLSTAD | | http://inguza.com/ Mobile: +46 (0)70-332 1551 | \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 / ---------------------------------------------------------------
