Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix potential Cross-site Scripting (XSS) exploits in demos #2817

Merged
merged 1 commit into from
Nov 25, 2021
Merged

Fix potential Cross-site Scripting (XSS) exploits in demos #2817

merged 1 commit into from
Nov 25, 2021
+93 −25

Conversation

lminiero
Copy link
Member

@lminiero lminiero commented Nov 25, 2021
edited
Loading

This patch addresses an issue in the TextRoom demo found by @SoufElhabti (thanks!). Specifically, while we were escaping incoming messages before adding them to the page, we weren't doing the same for display names: since they would be added to the HTML as-is as well, this could cause bad things to happen. See CVE-2021-4020 for details.

This patch fixes that vulnerability in the demo, but it also got me thinking about other demos, where we do similar things with display names, descriptions, etc. In some demos we have checks on what you can put in a display name (e.g., by enforcing alphanumeric values), but those don't protect you from users joining via other means (e.g,, a webpage accessing the same VideoRoom but without the check). As such, I've modified the other demos as well to escape those values that may need it.

I've already updated the demos online with the fix, so it shouldn't be an issue anymore for people using those. I'm planning to merge this patch soon, so please let me know if I missed some file/value.

@lminiero lminiero requested a review from atoppi November 25, 2021 12:30
atoppi
atoppi reviewed Nov 25, 2021
View reviewed changes
Copy link
Member

@atoppi atoppi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@lminiero
Copy link
Member Author

Merging 👍

@lminiero lminiero merged commit ba166e9 into master Nov 25, 2021
@lminiero lminiero deleted the xss-fixes branch November 25, 2021 16:20
lminiero added a commit that referenced this pull request Nov 25, 2021
@lminiero
Implemented #2817 fixes in multistream too
f9683f0
lminiero added a commit that referenced this pull request Dec 15, 2021
@lminiero
Fixed missing XSS mitigation (see #2817)
f62bba6
@lminiero lminiero mentioned this pull request Feb 23, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@atoppi atoppi atoppi left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@lminiero @atoppi