ryt / github-renderer Goto Github PK

I believe that XSS is a huge problem with this bookmarklet. Although the JS files might be loaded from raw.github.com, they're still executed in the github.com context.

I forked the repo and edited example.html to provide a proof of concept. Just run the githtml bookmarklet on this page:

https://github.com/dergachev/githtml/blob/master/example.html

Note: my XSS code is fairly harmless, as it just alerts your github username.
But it could have just as easily deleted your github acount, so read it first before using this bookmarklet.

I'm not exactly sure how one could re-architect the bookmarklet to avoid this. Perhaps via iframe src="https://raw.github.com/.../example.html", though I really haven't thought this through.

At the very least, you should warn people very clearly that by running this bookmarklet on an HTML page uploaded to github.com, they're willing to trust it not to steal their github credentials.

(Aside from this, I think this bookmarklet is a really useful idea! I guess you might modify it to work with gists too)

Chrome extensions have content scripts which can be restricted to inject js/css on
a particular domain. A bookmarklet is great, but it would be cool to have this automagically
work with the extension installed.

http://code.google.com/chrome/extensions/content_scripts.html

Because it only seems to work when that's the case.

My quasi-related HN comment: http://news.ycombinator.com/item?id=4198300

There are some additions to the extension source code that would be good. To name a few.

• Add the chrome.min.js directly inside the extension instead of importing it from github.
• Use manifests v2

If you've forked this repo, please update your bookmark or your fork.
Previously, some pages, such as bootrap and backbone.js, were deformed in the rendered view. This bug has now been fixed and they should all render correctly.

This extension does pose some serious XSS threats against your Github account. If you open an html file that includes some malicious javascript, your entire account could be compromised. Dangerous if you're responsible for a large repo. This could possibly alter the code of a project which again could lead to someone git cloning malware.