Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Sanitize docs content to prevent XSS #6670

Open
wants to merge 2 commits into
base: develop
Choose a base branch
from
Open

Sanitize docs content to prevent XSS #6670

wants to merge 2 commits into from

Conversation

gtsp233
Copy link

@gtsp233 gtsp233 commented Jan 23, 2024

Fix for Cross-Site Scripting (XSS) Vulnerability

Hi, I've found a Cross-Site Scripting (XSS) vulnerability in the package @icedesign/richtext-renderer.

Vulnerability Details:

  • Severity: High/Critical
  • Description: There's a risk of malicious content is passed to docs

POC(Proof of Concept)

import React, { useEffect } from "react";
import { Documentation } from "@blueprintjs/docs-theme";

const App = () => {
  return (
    <Documentation
      docs={{
        nav: [],
        pages: {
          test: {
            reference: "foo",
            route: "foo",
            sourcePath: "foo",
            title: "foo",
            contents: ["<img src='' onerror=alert(1)>"],
          },
        },
        docs: {
          pages: [],
        },
      }}
      defaultPageId="foo"
    />
  );
};

export default App;

Changes proposed in this pull request:

Sanitize the HTML before rendering it using dangerouslySetInnerHtml

I've already fixed this issue, and have submitted a pull request with the necessary changes. Please review and merge my pull request to resolve this vulnerability. Thanks!

Reviewers should focus on:

Screenshot

@palantirtech
Copy link
Member

Thanks for your interest in palantir/blueprint, @gtsp233! Before we can accept your pull request, you need to sign our contributor license agreement - just visit https://cla.palantir.com/ and follow the instructions. Once you sign, I'll automatically update this pull request.

@adidahiya
Copy link
Contributor

This is a developer build tool that is not exposed directly to end users (only developers building documentation sites). Why does this sanitization need to happen in the Blueprint package? If it's a concern for a downstream consumer, then perhaps @icedesign/richtext-renderer should do the sanitization?

ericjeney
ericjeney reviewed Feb 9, 2024
View reviewed changes
Copy link
Contributor

@ericjeney ericjeney left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for filing, @gtsp233!

However, I agree with @adidahiya's inclination that the Blueprint docs theme is only intended to be used with trusted input, and this sanitization should be performed by the consumer if the input cannot be trusted.

If we did want to fix this within Blueprint, I think we'd have to fix a few other places as well (such as the dangerouslySetInnerHTML's in css.tsx).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ericjeney ericjeney ericjeney left review comments

Assignees

@ericjeney ericjeney

@styu styu

Labels
Status: in discussion
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@gtsp233 @palantirtech @adidahiya @ericjeney @styu