Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[RFC] Make inserted marker text secure-by-default #2064

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

[RFC] Make inserted marker text secure-by-default #2064

wants to merge 1 commit into from

Commits on Sep 7, 2022

  1. Make inserted marker text secure-by-default 

    Per the documentation, Overviewer configuration authors must take
special precautions to escape user-generated HTML and/or JavaScript
from marker signs. In mide/minecraft-overviewer#117 [1], we
learned that:

  * This detail may escape the notice of downstream
    packagers and server deployments.

  * It is very straightforward to inject JavaScript
    into signs on Creative servers. It may also be
    possible on Survival servers.

Overviewer should conform to MDN's recommendations for safely
inserting external content [2]. Failure to protect against injected
scripts may allow a malicious actor to gain control of other web
resources on the same DNS name (i.e., via session hijacking). In
all likelihood, of course, people will just make nuisances of
themselves.

A small change in the way text is handled in JavaScript can
eliminate the need to invoke `html.escape()` at all in python. The
Leaflet `bindPopup()` method can accept a DOM node instead of a
text string [3]. The leaflet method inserts text strings via an
*unsafe* `innerHTML` assignment. DOM nodes are inserted
verbatim [4].

This patch creates a text-only DOM node that contains the marker
text. Text nodes are not subject to further interpretation, and all
HTML characters appear as literals. We use CSS to permit newline
characters to render as line breaks. This preserves multi-line
marker text.

References

1. mide/minecraft-overviewer#117

2. https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/Safely_inserting_external_content_into_a_page

3. https://leafletjs.com/reference.html#layer-bindpopup

4. https://github.com/Leaflet/Leaflet/blob/f10b44b3afcd079febe5219f84dc67c68b379b5e/src/layer/DivOverlay.js#L280
    @cbs228
    cbs228 committed Sep 7, 2022
    Configuration menu
    Copy the full SHA
    9cc87a1 View commit details
    Browse the repository at this point in the history