Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix #6987 XSS vulnerability in browser sidebar #6988

Merged
merged 1 commit into from
Jan 29, 2020
Merged

fix #6987 XSS vulnerability in browser sidebar #6988

merged 1 commit into from
Jan 29, 2020

Conversation

caseyflynn-google
Copy link
Contributor

What it does

fixes #6987 XSS vulnerability in browser sidebar

Change simply updates innerHtml to innerText to ensure user supplied
content does not impact the dom.

How to test

Create a folder outside of Theia named "<style onload=alert(0)>"
1.a Example: mkdir <style\ onload=alert(0)>
In Theia click FIle -> Open Workspace
Select the directory named <style onload=alert(0)>
Open the file explorer

No alert should be displayed.

Review checklist

Reminder for reviewers

@caseyflynn-google
fix eclipse-theia#6987 XSS vulnerability in browser sidebar
41281f4 
Change simply updates innerHtml to innerText to ensure user supplied
content does not impact the dom.

Signed-off-by: Casey Flynn <caseyflynn@google.com>
@caseyflynn-google caseyflynn-google added the security issues related to security label Jan 28, 2020
akosyakov
akosyakov approved these changes Jan 29, 2020
View reviewed changes
Copy link
Member

@akosyakov akosyakov left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

@caseyflynn-google caseyflynn-google merged commit a6d565e into eclipse-theia:master Jan 29, 2020
@caseyflynn-google caseyflynn-google deleted the fix_sidebar_xss branch January 29, 2020 03:32
@RDIL
Copy link
Contributor

RDIL commented Jan 30, 2020

Can you guys please publish a security advisory on GitHub (see security tab) so that anybody using the vulnerable versions gets sent an email automatically?

@luigigubello luigigubello mentioned this pull request Dec 16, 2020
Closed
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@akosyakov akosyakov akosyakov approved these changes

Assignees
No one assigned
Labels
security issues related to security
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[browser] XSS vulnerability in browser sidebar
3 participants
@caseyflynn-google @RDIL @akosyakov