Yep this works for me.
Michael
On 11/11/14 17:17, Damian, Alexandru wrote:
Agreed that this is an XSS security issue - Thank you for
demonstrating it !
I wrongly assumed that json.dumps() will HTML-escape the strings
passed to it - apparently it lacks the option to do so, even if it's
in the JSON spec.
I have a modified patch that:
- provides Python-to-JSON dump in a template filter
- said template filter escapes HTML content, keeping the output
JSON-compatible
- modifies all occurences of json.dumps in views.py to use this filter
In the same patch I have several other security fixes, since the XSS
path remained open inside Angular, or for the commands sent to the server.
Can you please review the patch at:
http://git.yoctoproject.org/cgit/cgit.cgi/poky-contrib/log/?h=toaster/master
Cheers,
Alex
On Tue, Nov 11, 2014 at 11:31 AM, Michael Wood
<[email protected] <mailto:[email protected]>> wrote:
Hi,
Valid json can contain unescaped markup tags which will break the
javascript e.g. if you put your project name to "</script><h2>Hi
mum<!-- or worse some javascript --></h2>" the project page will
interpret that.
http://jsfiddle.net/uLpecL5o/
The escapejs filter will escape all the correct characters the
resulting string of the json can then be safely parsed by the browser.
If we want to use |safe we really need to be sure that data is
safe, which may mean that instead we sanitise it before storing it.
Oops yes too long working with jinja2 which is based on django got
confused there!
Michael
On 07/11/14 16:52, Damian, Alexandru wrote:
Hi,
Hi, this is a good point you raise here - there are some
aspects that need considering, though -
the data coming in this page (e.g. prj, builds, etc..) is
already coming as JSON, the conversion is done in the view.
Here we mark the value as not needing any further escape
(through the safe filter) because we know it's already a valid
json string.
json is already valid javascript code, so we don't need to
parse it manually, the browser will interpret it as such.
btw, we're not using jinja2 templating engine, we use the
built-in django templating engine :)
Cheers,
Alex
On Thu, Nov 6, 2014 at 4:11 PM, Michael Wood
<[email protected] <mailto:[email protected]>
<mailto:[email protected]
<mailto:[email protected]>>> wrote:
When passing the data from the jinja2 template to
javascript make sure
we escape and parse the JSON to avoid any invalid values being
interpreted.
Signed-off-by: Michael Wood <[email protected]
<mailto:[email protected]>
<mailto:[email protected]
<mailto:[email protected]>>>
---
bitbake/lib/toaster/toastergui/templates/project.html | 14
+++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git
a/bitbake/lib/toaster/toastergui/templates/project.html
b/bitbake/lib/toaster/toastergui/templates/project.html
index 6a81283..00fb2b4 100644
--- a/bitbake/lib/toaster/toastergui/templates/project.html
+++ b/bitbake/lib/toaster/toastergui/templates/project.html
@@ -335,13 +335,13 @@
angular.element(document).ready(function() {
scope.urls.layers = "{% url 'layers' %}";
scope.urls.targets = "{% url 'targets' %}";
scope.urls.importlayer = "{% url 'importlayer'%}"
- scope.project = {{prj|safe}};
- scope.builds = {{builds|safe}};
- scope.layers = {{layers|safe}};
- scope.targets = {{targets|safe}};
- scope.frequenttargets = {{freqtargets|safe}};
- scope.machine = {{machine|safe}};
- scope.releases = {{releases|safe}};
+ scope.project = JSON.parse ("{{prj|escapejs}}");
+ scope.builds = JSON.parse ("{{builds|escapejs}}");
+ scope.layers = JSON.parse ("{{layers|escapejs}}");
+ scope.targets = JSON.parse ("{{targets|escapejs}}");
+ scope.frequenttargets = JSON.parse
("{{freqtargets|escapejs}}");
+ scope.machine = JSON.parse ("{{machine|escapejs}}");
+ scope.releases = JSON.parse ("{{releases|escapejs}}");
scope.zone1alerts = [];
scope.zone2alerts = [];
--
1.9.1
--
_______________________________________________
toaster mailing list
[email protected] <mailto:[email protected]>
<mailto:[email protected]
<mailto:[email protected]>>
https://lists.yoctoproject.org/listinfo/toaster
--
Alex Damian
Yocto Project
SSG / OTC
---------------------------------------------------------------------
Intel Corporation (UK) Limited
Registered No. 1134945 (England)
Registered Office: Pipers Way, Swindon SN3 1RJ
VAT No: 860 2173 47
This e-mail and any attachments may contain confidential
material for
the sole use of the intended recipient(s). Any review or
distribution
by others is strictly prohibited. If you are not the intended
recipient, please contact the sender and delete all copies.
---------------------------------------------------------------------
Intel Corporation (UK) Limited
Registered No. 1134945 (England)
Registered Office: Pipers Way, Swindon SN3 1RJ
VAT No: 860 2173 47
This e-mail and any attachments may contain confidential material for
the sole use of the intended recipient(s). Any review or distribution
by others is strictly prohibited. If you are not the intended
recipient, please contact the sender and delete all copies.
--
Alex Damian
Yocto Project
SSG / OTC
---------------------------------------------------------------------
Intel Corporation (UK) Limited
Registered No. 1134945 (England)
Registered Office: Pipers Way, Swindon SN3 1RJ
VAT No: 860 2173 47
This e-mail and any attachments may contain confidential material for
the sole use of the intended recipient(s). Any review or distribution
by others is strictly prohibited. If you are not the intended
recipient, please contact the sender and delete all copies.
--
_______________________________________________
toaster mailing list
[email protected]
https://lists.yoctoproject.org/listinfo/toaster
