-
-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Default formatter error can cause XSS rendering issue #1762
Comments
Looks legit. Would appreciate at least a spec, maybe a fix, please. We can just drop the actual value I think. |
Happy to do so, but I'm not sure the best approach for fixing. The use of the format name in the script was done intentionally (#322 I believe). Ideally we'd sanitize the output before displaying it as html, but we don't know it's going to be displayed as html. ActionSupport has a safebuffer that could be used for sanitizing the html text prior to rendering, but we don't want to do that if the text won't be rendered as html. |
Actually I think I figured out a solution, PR forthcoming. |
* When calling into an API specifying a crafted format that is HTML, the returned error renders the HTML back to the user, causing a potential XSS issue. For example: http://example.com/api/endpoint?format=%3Cscript%3Ealert(document.cookie)%3C/script%3E Renders as html: The requested format '<script>alert(document.cookie)</script>' is not supported. When an error generates html back to the user, make sure it's properly escaped. Fixes issue #1762 * Add changelog entry * Use a method that also works in rails3 * Add spec formatting for older rails/activesupport version
Closed via #1763. |
If you issue a request into an API endpoint with a format specified that is not handled, you get back a 406 error with message 'The requested format 'format' is not supported.'
The name of the specified format is rendered in the error message, which defaults as HTML. You can easily craft a format value that gets passed in and renders as an XSS. An example:
http://example.com/api/endpoint?format=%3Cscript%3Ealert(document.cookie)%3C/script%3E
Renders as html:
The requested format '<script>alert(document.cookie)</script>' is not supported.
Which will cause a javascript popup if you visit this page in a browser.
The text was updated successfully, but these errors were encountered: