webxdc/checklist
15
2
Fork
You've already forked checklist
3

Fix XSS? #8

Closed
opened 2023年08月29日 14:30:10 +02:00 by WofWca · 2 comments

POC

Create an item with text <img src="doesntexist" onerror="alert('pwned')">

Impact, severity

The impact is not big because all the info is intended to be shared between chat members anyway. Currently none of the existing webxdc apps are resistant to malicious chat members (see "XDC-06" in https://delta.chat/en/2023-05-22-webxdc-security).

Also

The app seems to be keen on using innerHTML:

element.innerHTML = `<input class="AppListItemToggle" type="checkbox" onclick="AppBehaviour.ControlToggle(${ index });" ${ item.done ? 'checked' : '' } /> <span class="AppListItemName" onclick="AppBehaviour.InterfaceEdit(${ index });">${ item.text }</span>`;

innerHTML is also used in webxdc.js, which can be found in a lot of webxdc example apps, but I don't know if it's exploitable there.

## POC Create an item with text `<img src="doesntexist" onerror="alert('pwned')">` ## Impact, severity The impact is not big because all the info is intended to be shared between chat members anyway. Currently none of the existing webxdc apps are resistant to malicious chat members (see "XDC-06" in https://delta.chat/en/2023-05-22-webxdc-security). ## Also The app seems to be keen on using `innerHTML`: https://codeberg.org/webxdc/checklist/src/commit/11276463a39558c93c21b3ebb28664e0c24c5c7a/ui-behaviour.js#L179 `innerHTML` is also used in `webxdc.js`, which can be found in a lot of webxdc example apps, but I don't know if it's exploitable there.
Owner
Copy link

i do not think, things are exploitable as webxdc apps cannot access outside scripts at all.

however, still, we should eg. use innerText after adding the elements (as in calendar) to not guide new js devs to the wrong direction.

but i would do that at the end of the other factorings, might be, things are resolved as some code gets rewritten for other reasons.

i do not think, things are exploitable as webxdc apps cannot access outside scripts at all. however, still, we should eg. use `innerText` after adding the elements (as in calendar) to not guide new js devs to the wrong direction. but i would do that at the end of the other factorings, might be, things are resolved as some code gets rewritten for other reasons.

agree IMHO the main issue is not security risk but wrong display of user input ex if you enter "buy " it is displayed as "buy" only, innerHTML should never be used to insert user input

agree IMHO the main issue is not security risk but wrong display of user input ex if you enter "buy <apples>" it is displayed as "buy" only, innerHTML should never be used to insert user input
Sign in to join this conversation.
No Branch/Tag specified
master
all-updates
fix-init-override
adb/issue-8
update-webxdc-js
tweak-layout
add-menu
fix-title-linebreaks
positive-icon
update-icon
adb/use-vite
pages
v0.0.3
v0.0.4
v0.0.2
0.0.1
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
3 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
webxdc/checklist#8
Reference in a new issue
webxdc/checklist
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?