Profile Image encoding with Validator.escape #1127
Comments
|
I've been working on a solution to this.. So far I've come up with using Angular Sanitize, in which case I modified the client Authentication service with this: user: {
displayName: $sanitize($window.user.displayName),
provider: $sanitize($window.user.provider),
username: $sanitize($window.user.username),
created: $sanitize($window.user.created.toString()),
roles: $window.user.roles,
profileImageURL: $sanitize($window.user.profileImageURL),
email: $sanitize($window.user.email),
lastName: $sanitize($window.user.lastName),
firstName: $sanitize($window.user.firstName)
}Does this seem redundant, since we're using Validator on the back-end? I'm leaning toward just sanitizing the Any thoughts? |
|
@mleanos yeah it seems redundant. |
|
@lirantal You mean don't sanitize it on the back-end with Validator? I think that's a good idea. I think we're just having an issue with this particular field because it's a path. I can change the PR to just remove the |
|
yeah that's what I mean, can you try it and see if there are any issues still? if not then go ahead and modify this PR to accommodate the backend validation. we should check though where in the code the image is being set to make sure no one can falsely set it to some malicious data like xss. |
|
@lirantal I didn't notice any issues after removing the escape method from the I'm thinking we could remove the escape method from the backend in this PR to get the bug handled, and then look at implementing something more robust for sanitizing the file. I'm on Gitter most days/nights if you wanna have a chat about this there. |
|
Hi There. |
|
@0xNacho Thank you for the feedback. I was thinking it could be over-kill to sanitize the binary data. However, this is a little out of the realm of my expertise. So it appears that there isn't really much of a risk here with the @lirantal WDYT? If you agree, then I can revert my changes in the PR & then just remove the |
Removes the validator.escape on the profileImageUrl field in core server controller. The escaping was causing the profileImageUrl field to be an invalid path for the image. We don't need to worry about xss vulnerabilities on this field because no user input is provided; the name & path are generated by the application logic. Fixes meanjs#1127
|
@lirantal I've updated the PR to just remove the escaping of the |
|
Thanks, I'll review later and merge. |
fix(users): ProfileImageURL sanitize with ngSanitize
With the new security enhancement for thwarting xss attacks implemented with b9e3fd1, the Profile Image stored in the browsers User object is now encoded with the escaping characters. When loading the image from the browser's User object, the image cannot be found; due to image path containing the escape characters.
To reproduce..
You'll notice that the image cannot be found, and when viewing the User object from the source of the page you'll see that the
profileImageURLfield is encoded with the escaping characters.The fix that comes to mind first is to decode (or remove escaping characters) from the User object data when it's loaded into the Authentication service.
@lirantal Is this what you were referring to about the Angular changes that might need to be made?
Anyone have any additional thoughts, or ideas? One thing that might be helpful, is for someone else to run through some test cases & watch the behavior of the User object. I seem to be experiencing odd behavior with the data that's loaded into the browser object; see these comments #1119 (comment) & #1119 (comment)
The text was updated successfully, but these errors were encountered: