diff options
| author | Owen Jacobson <owen@grimoire.ca> | 2025-07-09 18:57:16 -0400 |
|---|---|---|
| committer | Owen Jacobson <owen@grimoire.ca> | 2025-07-09 21:26:10 -0400 |
| commit | 01ed82ac4f89810161fbc3aa1cb8e4691fb8938b (patch) | |
| tree | 15ef92a207c44d60556188b4016bafc3c85b466f /docs/developer/client | |
| parent | af215bf98bec827fc75756b197bbb884afb52643 (diff) | |
Do not support users entering bare HTML in swatches.
You can inject Javascript into a swatch that uses `{@html <expr>}` fairly easily. `<script>foo()</script>` doesn't appear to work, but `<img src="x" onerror="foo()">` does, for example. That code then runs with the same access to cookies, and the same access to local data, as the Pilcrow client. This change removes that capability, by replacing the two swatches that exposed it with more limited examples.
I love the generality and flexibility of generic HTML entry here, and I think it might have been useful for swatching components that are generic DOM containers (which both `Message` and `MessageRun` are today), but swatches are a user interface and are exposed to _all_ users. A user who is unfamiliar with HTML and Javascript, but who is persuaded to open a swatch and enter some code into it (think about an attacker who tells their victim "hey check out this funny thing that happens," preying on curiousity, while providing a lightly-obfuscated payload) can then impersonate that user, exfiltrate anything saved locally, or potentially install persistent code using JS' various background-processing APIs. Gnarly stuff.
We're not up to mitigating that in place. Anyone who knows JS can likely learn to build the client from source, and can experiment with arbitrary input that way, taking responsibility for the results in the process, while anyone who doesn't is unlikely to be persuaded to set up an entire Node toolchain just for an exploit.
Diffstat (limited to 'docs/developer/client')
| -rw-r--r-- | docs/developer/client/swatches.md | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/docs/developer/client/swatches.md b/docs/developer/client/swatches.md index df4f643..ad11381 100644 --- a/docs/developer/client/swatches.md +++ b/docs/developer/client/swatches.md @@ -14,3 +14,13 @@ Things to consider: - For freeform values whose meaning is significant, provide buttons to let the user rapidly enter and experiment with interesting values. - Be thorough. Let the user experiment with values, even if you think those values may be nonsensical. - Try to show the component _without_ supporting markup, as far as is possible. However, if a component generates markup that requires context - a table row component needs a table, for example, or a list element needs a list - then include that markup in the swatch. + +## Swatches and XSS + +⚠ Swatches **should not** accept arbitrary HTML as user input and render it. Use something less expressive, instead. + +Swatches are an interface _intended for_ developers, but _available to_ everyone - including users who may not be familiar with the Web platform or the level of access a page might have to their credentials or data. Putting HTML inputs on a swatch invites the risk that a user may be mislead into running code in that swatch that then has access to the Pilcrow API, or to their locally-stored data. + +If a component takes HTML as an argument, then the best compromise we've found between allowing a swatch user to experiment with that HTML and protecting that user from these risks is to provide some kind of structured input. For example, a swatch for a message might instead allow test data to be entered using the same Markdown dialect real messages are entered with. + +For components where there isn't an easy way to do that, providing one or more predetermined test bodies is also a workable alternative. |