Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix #6976: XSS in New File dialog. #6977

Merged

Conversation

caseyflynn-google
Copy link
Contributor

What it does

Fixes XSS sink in the New File dialog.

A side effect of this change is the error message displayed no longer displays the erroneous file name in bold.

How to test

Click File-> New File
Enter <style onload=alert(0)> in the text box

An alert should not be displayed on the page.

Review checklist

Reminder for reviewers

Signed-off-by: Casey Flynn [email protected]

Commit replaces call to innerHTML with a call to innerText to ensure
user supplied text will not create elements in the DOM. An alternative
to this approach would be to sanitize user input before adding it to the
DOM.

Signed-off-by: Casey Flynn <[email protected]>
@caseyflynn-google caseyflynn-google added the security issues related to security label Jan 28, 2020
Copy link
Member

@akosyakov akosyakov left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thank you for catching it! works well

@caseyflynn-google caseyflynn-google merged commit 791b576 into eclipse-theia:master Jan 28, 2020
@caseyflynn-google caseyflynn-google deleted the fix_dialog_xss branch January 28, 2020 17:38
@luigigubello luigigubello mentioned this pull request Dec 16, 2020
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
security issues related to security
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants