Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

pasteHTML should prevent script execution #981

Closed
sijad opened this issue Sep 16, 2016 · 4 comments
Closed

pasteHTML should prevent script execution #981

sijad opened this issue Sep 16, 2016 · 4 comments

Comments

@sijad
Copy link

sijad commented Sep 16, 2016
edited
Loading

if something like quill.pasteHTML('<img src="dfsdfds" onerror="alert(document)">') called, the alert(document) will be executed. I'm not sure if it's quill job to prevent this. I just want to make sure.

Steps for Reproduction

  1. Visit http://codepen.io/sijad/pen/NRAAdj

Expected behavior:
Quill should sanitize unsafe attributes and tags.

Actual behavior:
See http://codepen.io/sijad/pen/NRAAdj

Platforms:

53.0.2785.116 (64-bit), osx 10.11.6

Version:

1.0.3
@jhchen jhchen closed this as completed in d1149ad Sep 18, 2016
@jhchen
Copy link
Member

jhchen commented Sep 19, 2016

Sanitization is better handled outside of Quill and I'd rather not impose a set of rules, which are error-prone anyways. There are legitimate use cases for a onerror handler on images for example though it is also a vector for attack. The right behavior is user dependent.

Instead Quill will follow React's example of providing a very clear warning in the method name.

@sijad
Copy link
Author

sijad commented Sep 19, 2016
edited
Loading

thanks for your effort @jhchen
most script and cms store origin user input intact beside rendered (sanitized) version in database for when user need to edit previous inputs.

  1. sanitizing user input before saving it in DB may produce some problem when user want to edit.
  2. sanitizing in client side is also expensive (sanitize-html minified version is about ~180kb)

could be please give me some advice here?

both CKEditor and TinyMCE have filter content feature.

@sijad
Copy link
Author

sijad commented Sep 19, 2016

@jhchen is it possible to use DOMParser class instead of using innerHTML?

as delta do all other work (e.g. convert tags and attributes) i guess it'll really fix this issue. I didn't look enough in code so I may be wrong.

DOMParser is well supported in all new browser http://caniuse.com/#feat=xml-serializer

tmpdoc = new DOMParser().parseFromString('<img src="" onerror="alert(\'it will not execute!\')">', "text/html");
console.log(tmpdoc.body.innerHTML);

@benbro benbro mentioned this issue Sep 19, 2016
Closed
@jhchen
Copy link
Member

jhchen commented Sep 21, 2016

HTML sanitization is a huge mess. I would recommend not using HTML at all as a form of input and Quill has Deltas for this reason. The bright engineers at Facebook working on React seems to feel the same.

DOMParser is a good suggestion though from @benbro's PR it does not appear a simple substitution works, though with some more modifications it might. Regardless it does not cover all vectors for attack when it comes to HTML input and it is outside Quill's responsibility.

@sijad sijad mentioned this issue Oct 15, 2017
Open
@cbwswsolns cbwswsolns mentioned this issue Nov 4, 2021
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

use DOMParse in pasteHTML to protect against dangerous html
2 participants
@jhchen @sijad