XSS vulnerabilities about github-renderer HOT 5 CLOSED

Note: I originally posted this as a comment in #8 but since I don't have permission to reopen that issue, I started a new one.

from github-renderer.

Do you have any suggestions as to what we could do to stop scripts from exploiting that?

from github-renderer.

OK took a closer look.

First tried my initial suggestion:

<iframe src="https://raw.github.com/dergachev/githtml/master/example.html" width="400" height="400" />

This fails because github purposely discourages hosting the HTML from github.com (instead of their Github Pages platform). See this related discussion

So the only other idea I have (without resorting to a proxy service, of course) is to use the HTML5 iframe sandbox/srcdoc attributes. I hacked my version of githtml.js to use it as a quick proof of concept.

See the top of my fork's README.md to see a diff of my hacks, and to get a URL for githtml-sandbox bookmarklet: https://github.com/dergachev/githtml

It seems to work in Chrome, in the sense that it doesn't allow XSS, and it renders the pages and even executes their JS.

However, my brief testing suggests that it renders complex pages poorly (try it on https://github.com/HPNeo/gmaps/blob/master/examples/context_menu.html) , but I can't tell if it's due to fundamental problems of introducing the security restrictions, or because I adapted your code poorly (escaping, relative link handling, etc).

It's all supported in chrome, but not srcdoc isn't supported in firefox yet.

Read more:

• http://caniuse.com/iframe-sandbox
• https://developer.mozilla.org/en-US/docs/HTML/Element/iframe#Browser_compatibility
• http://www.whatwg.org/specs/web-apps/current-work/multipage/the-iframe-element.html#attr-iframe-sandbox
• http://www.sitepoint.com/how-to-safeguard-your-site-with-html5-sandbox/

Thoughts?

Personal note: I'd be happier if you avoid using 1 or 2 character variable names, as it breaks my standard CMD-F code exploration technique, and forces me to use the chrome JS debugger to figure out what's going on.

from github-renderer.

Oh, just came across this alternative approach: http://htmlpreview.github.com/

Because it uses a free yahoo proxy service (via YQL), it doesn't have the security problems of executing strange code in the github.com context.

On the other hand, there's a dependency on Yahoo's free service... who knows how long that'll be around?

Here's their code: https://github.com/htmlpreview/htmlpreview.github.com/blob/master/htmlpreview.js
It'd be pretty easy to make a bookmarklet for it.

Found via http://stackoverflow.com/questions/6551446/can-i-run-html-files-directly-from-github-instead-of-just-viewing-their-source

from github-renderer.

An unrelated security point... it's probably safer to give people a bookmarklet that references a JS file at a given git commit, rather than repo head. That is, this:

javascript:(function(){var d=document,s=d.createElement('script');s.src='//raw.github.com/ryt/githtml/103a0a8b91cb0b33485e8e92a642b663f6f04cdb/githtml.min.js?2';d.body.appendChild(s);})();

Instead of this:

javascript:(function(){var d=document,s=d.createElement('script');s.src='//raw.github.com/ryt/githtml/master/githtml.min.js?2';d.body.appendChild(s);})();

This means that should someone get access to your github account and push a malicious change to githtml.min.js, they won't be able to get all the users of this bookmarklet to pull it in automatically.

from github-renderer.