HELP: Clarification in regards to jQuery vulnerability

[shevek]

Hi, I have researched this issue a bit now but I am still unsure.

I am building a website that uses a jQuery library to handle a terminal input. As far as I know, the library itself sanitizes the user input (commands) already.

Code example snippet is the following:

Code

$('body').terminal(function(command, term) {
if (command === 'run word1') {
term.echo('Text that is displayed when you use word1 command');
} else if (command === 'help') {
term.echo('Help text displayed when you use help command');

Now, I want some of these texts (there are more than the code example) to have links. The library auto-converts any mail address or https:// link to a clickable link, but I want a clickable word basically, like you would usually do as

Code

A specific <a href="www.link.com">word</a> should be a link.

But this doesn't work within the the term.echo texts because they treat the text as plain text, not HTML, so the <a href> would just show up as text. One way to change this is to attach raw: true the following way:

Code

} else if (command === 'run word2') {
term.echo('<a href="link here">Linkword</a> and rest of the text', { raw: true });

This treats the text as raw HTML, and with that, the <a href> works and I can style it in CSS too. However, raw: true can be a security risk because it renders HTML directly, and if I understand correctly, even before the sanitization check.

Am I correct in my assessment that only running the commands themselves as raw:true is a risk, because that is the direct user input, and running raw:true on the text that will show up after the user input is okay?
Or are there any more elegant solutions than this?

[Melooon]

It's a little hard to tell what you mean by running a terminal input with jQuery?? You mean your making a site that's styled after a terminal? Or you are actually making a passthrough that lets people send real commands to a real terminal somewhere??

At any rate, having people inject HTML into your site is only an issue if you are saving that HTML and redistributing it to other people (like.. eh.. letting people put it on forum profiles ) - and even then, its only an issue if you expect people to actively abuse that injection (like making a banking site have a scam link that steals info etc) - really though its only an issue if you are letting people inject <script> tags, since those are the ones that can get really creative for hackers.

(DOes anyone remember the time I made my status.cafe profile automatically make people post "I visited melons profile" whenever anyone visited my profile      - thats why custom scripts are banned on status.cafe! )

It really just depends on the context and use case - if your site is entirely static (only affects the visitor's browser) then you can let them do whatever they like and the only person they can hack is themselves! 

[shevek]

It's a little hard to tell what you mean by running a terminal input with jQuery?? You mean your making a site that's styled after a terminal? Or you are actually making a passthrough that lets people send real commands to a real terminal somewhere??

Ah no, just a terminal style, not a real terminal; I use this library.

At any rate, having people inject HTML into your site is only an issue if you are saving that HTML and redistributing it to other people (like.. eh.. letting people put it on forum profiles ) - and even then, its only an issue if you expect people to actively abuse that injection (like making a banking site have a scam link that steals info etc) - really though its only an issue if you are letting people inject <script> tags, since those are the ones that can get really creative for hackers. [...]

It really just depends on the context and use case - if your site is entirely static (only affects the visitor's browser) then you can let them do whatever they like and the only person they can hack is themselves! 

Cool, thank you for the clarification then I'm gonna go ahead with that.