Home Events! Entrance Everyone Wiki Search Login Register

Welcome, Guest. Please login or register. - Thinking of joining the forum??
November 21, 2024 - @780.07 (what is this?)
Forum activity rating: Three Stars Posts: 32/1k.beats Unread Topics | Unread Replies | My Stuff | Random Topic | Recent Posts    Start New Topic
News: :ha: :pc: Hello Melonland! :pc: :happy:

+  MelonLand Forum
|-+  World Wild Web
| |-+  ✁ ∙ Web Crafting
| | |-+  ☔︎ ∙ I need Help!
| | | |-+  HELP: Clarification in regards to jQuery vulnerability


« previous next »
Pages: [1] Print
Author Topic: HELP: Clarification in regards to jQuery vulnerability  (Read 660 times)
shevek
Sr. Member ⚓︎
****


˚₊⁀꒷₊˚︰₊︶꒦꒷₊⊹︰꒷

⛺︎ My Room
iMood: daintyeco

View Profile WWW

Thanks for being rad!First 1000 Members!Joined 2023!
« on: June 27, 2023 @378.87 »

Hi, I have researched this issue a bit now but I am still unsure.

I am building a website that uses a jQuery library to handle a terminal input. As far as I know, the library itself sanitizes the user input (commands) already.

Code example snippet is the following:

Code
$('body').terminal(function(command, term) {
if (command === 'run word1') {
term.echo('Text that is displayed when you use word1 command');
} else if (command === 'help') {
term.echo('Help text displayed when you use help command');

Now, I want some of these texts (there are more than the code example) to have links. The library auto-converts any mail address or https:// link to a clickable link, but I want a clickable word basically, like you would usually do as

Code
A specific <a href="www.link.com">word</a> should be a link.

But this doesn't work within the the term.echo texts because they treat the text as plain text, not HTML, so the <a href> would just show up as text. One way to change this is to attach raw: true the following way:

Code
} else if (command === 'run word2') {
term.echo('<a href="link here">Linkword</a> and rest of the text', { raw: true });

This treats the text as raw HTML, and with that, the <a href> works and I can style it in CSS too. However, raw: true can be a security risk because it renders HTML directly, and if I understand correctly, even before the sanitization check.

Am I correct in my assessment that only running the commands themselves as raw:true is a risk, because that is the direct user input, and running raw:true on the text that will show up after the user input is okay?
Or are there any more elegant solutions than this?
Logged

Odo was just an idea. Shevek is the proof.
Melooon
Hero Member ⚓︎
*****


So many stars!

⛺︎ My Room
SpaceHey: Friend Me!
StatusCafe: melon
iMood: Melonking
Itch.io: My Games

View Profile WWW

Thanks for being rad!a puppy for your travelsAlways My PalFirst 1000 Members!spring 2023!Squirtle!!!!MIDI WarriorMIDI Warrior1234 Posts!OzspeckCool Dude AwardRising Star of the Web AwardMessage BuddyPocket Icelogist!OG! Joined 2021!...
« Reply #1 on: June 27, 2023 @629.10 »

It's a little hard to tell what you mean by running a terminal input with jQuery?? You mean your making a site that's styled after a terminal? Or you are actually making a passthrough that lets people send real commands to a real terminal somewhere??

At any rate, having people inject HTML into your site is only an issue if you are saving that HTML and redistributing it to other people (like.. eh.. letting people put it on forum profiles :tongue: ) - and even then, its only an issue if you expect people to actively abuse that injection (like making a banking site have a scam link that steals info etc) - really though its only an issue if you are letting people inject <script> tags, since those are the ones that can get really creative for hackers.

(DOes anyone remember the time I made my status.cafe profile automatically make people post "I visited melons profile" whenever anyone visited my profile  :grin:  :grin:  :grin: - thats why custom scripts are banned on status.cafe! )

It really just depends on the context and use case - if your site is entirely static (only affects the visitor's browser) then you can let them do whatever they like and the only person they can hack is themselves!  :pc:
Logged


everything lost will be recovered, when you drift into the arms of the undiscovered
shevek
Sr. Member ⚓︎
****


˚₊⁀꒷₊˚︰₊︶꒦꒷₊⊹︰꒷

⛺︎ My Room
iMood: daintyeco

View Profile WWW

Thanks for being rad!First 1000 Members!Joined 2023!
« Reply #2 on: June 27, 2023 @681.77 »

It's a little hard to tell what you mean by running a terminal input with jQuery?? You mean your making a site that's styled after a terminal? Or you are actually making a passthrough that lets people send real commands to a real terminal somewhere??

Ah no, just a terminal style, not a real terminal; I use this library.

Quote
At any rate, having people inject HTML into your site is only an issue if you are saving that HTML and redistributing it to other people (like.. eh.. letting people put it on forum profiles :tongue: ) - and even then, its only an issue if you expect people to actively abuse that injection (like making a banking site have a scam link that steals info etc) - really though its only an issue if you are letting people inject <script> tags, since those are the ones that can get really creative for hackers. [...]

It really just depends on the context and use case - if your site is entirely static (only affects the visitor's browser) then you can let them do whatever they like and the only person they can hack is themselves!  :pc:

Cool, thank you for the clarification :smile: then I'm gonna go ahead with that.

Logged

Odo was just an idea. Shevek is the proof.
Pages: [1] Print 
« previous next »
 

Vaguely similar topics! (3)

Melons critiquing and helping each other

Started by urgellxBoard ✎ ∙ Art Crafting

Replies: 22
Views: 1913
Last post August 24, 2024 @487.13
by e-
HELP: Using jQuery on Neocities

Started by OfPowerDeriveBoard ☔︎ ∙ I need Help!

Replies: 3
Views: 702
Last post August 17, 2023 @857.94
by OfPowerDerive
What helped you code html/css easy?

Started by LIABoard ✁ ∙ Web Crafting

Replies: 17
Views: 2150
Last post October 11, 2023 @152.56
by flowers

Melonking.Net © Always and ever was! SMF 2.0.19 | SMF © 2021, Simple Machines | Terms and Policies Forum Guide | Rules | RSS | WAP | Mobile


MelonLand Badges and Other Melon Sites!

MelonLand Project! Visit the MelonLand Forum! Support the Forum
Visit Melonking.Net! Visit the Gif Gallery! Pixel Sea TamaNOTchi