Reduce risk of XSS (#1051)

* Skip non-own properties of env.attributes Use `Object.keys` instead of a for-in loop to find optional attributes. The former only grabs keys that are own properties, the latter also includes inherit properties from `Object.prototype`. This reduces the risk of XSS if an attacker somehow manages to manipulate the prototype chain of the Object prototype. * Fix root cause of XSS in autolinker plugin #1054 * command-line plugin: Safely encode attributes If an attacker has control over the values of the attributes "data-prompt", "data-user", or "data-host", then XSS was possible. This fixes the issue, by encoding quotes as the `"` entity. * show-language plugin: innerHTML -> textContent There is no need for `innerHTML` here. At best nothing happens, at worst XSS is possible (though the odds are negligible since the attacker would have to control the detected language). * toolbar plugin: innerHTML -> textContent
PrismJS · Nov 20, 2016 · 17e33bc · 17e33bc
1 parent 0251471
commit 17e33bc
Show file tree

Hide file tree

Showing 9 changed files with 19 additions and 19 deletions.
diff --git a/components/prism-core.js b/components/prism-core.js
@@ -445,11 +445,9 @@ Token.stringify = function(o, language, parent) {
 
 	_.hooks.run('wrap', env);
 
-	var attributes = '';
-
-	for (var name in env.attributes) {
-		attributes += (attributes ? ' ' : '') + name + '="' + (env.attributes[name] || '') + '"';
-	}
+	var attributes = Object.keys(env.attributes).map(function(name) {
+		return name + '="' + (env.attributes[name] || '').replace(/"/g, '&quot;') + '"';
+	}).join(' ');
 
 	return '<' + env.tag + ' class="' + env.classes.join(' ') + '"' + (attributes ? ' ' + attributes : '') + '>' + env.content + '</' + env.tag + '>';
 

diff --git a/components/prism-core.min.js b/components/prism-core.min.js
diff --git a/plugins/command-line/prism-command-line.js b/plugins/command-line/prism-command-line.js
@@ -34,14 +34,18 @@ Prism.hooks.add('complete', function (env) {
 		pre.className += ' command-line';
 	}
 
+	var getAttribute = function(key, defaultValue) {
+		return (pre.getAttribute(key) || defaultValue).replace(/"/g, '&quot');
+	};
+
 	// Create the "rows" that will become the command-line prompts. -- cwells
 	var lines = new Array(1 + env.code.split('\n').length);
-	var promptText = pre.getAttribute('data-prompt') || '';
+	var promptText = getAttribute('data-prompt', '');
 	if (promptText !== '') {
 		lines = lines.join('<span data-prompt="' + promptText + '"></span>');
 	} else {
-		var user = pre.getAttribute('data-user') || 'user';
-		var host = pre.getAttribute('data-host') || 'localhost';
+		var user = getAttribute('data-user', 'user');
+		var host = getAttribute('data-host', 'localhost');
 		lines = lines.join('<span data-user="' + user + '" data-host="' + host + '"></span>');
 	}
 

diff --git a/plugins/command-line/prism-command-line.min.js b/plugins/command-line/prism-command-line.min.js
diff --git a/plugins/show-language/prism-show-language.js b/plugins/show-language/prism-show-language.js
@@ -20,7 +20,7 @@ Prism.plugins.toolbar.registerButton('show-language', function(env) {
 	var language = pre.getAttribute('data-language') || Languages[env.language] || (env.language.substring(0, 1).toUpperCase() + env.language.substring(1));
 
 	var element = document.createElement('span');
-	element.innerHTML = language;
+	element.textContent = language;
 
 	return element;
 });

diff --git a/plugins/show-language/prism-show-language.min.js b/plugins/show-language/prism-show-language.min.js
diff --git a/plugins/toolbar/prism-toolbar.js b/plugins/toolbar/prism-toolbar.js
@@ -120,7 +120,7 @@
 				element = document.createElement('span');
 			}
 
-			element.innerHTML = text;
+			element.textContent = text;
 		}
 
 		return element;