Attribution Details : sanitize user input

[matheod]

Description

Work Author, URL of creator profile, Title of Work and Work URL input are not sanatized.
This bring two theorical security issue :

• The html in name is parsed which allow execution of javascript (but this means the user have to paste malicious code so not really a useable vulnerability)
• javascript: url can be written
  This bring two real issue :
• If an basic user use some character like "<" in it's name, the preview (rich text) and HTML (in the textarea that the user will be able to copy/paste) output will be wrong
• If the url contain some character like " the HTML output will be broken (preview will be okay)

Additional context

• Author / Title are not sanatized in preview and HTML
• URL of creator profil / work url are sanatized in preview (but javascript: is allowed) but not in HTML

Resolution

• I would be interested in resolving this bug.

[obulat]

Thank you for reporting this issue, @matheod , it is very important. Please, go ahead and submit your PR when you are ready!

[neeraj-2]

@obulat, is this issue still available to work upon?

[obulat]

Yes, @neeraj-2 , it is. I've tried replicating it, and I see that although Richtext seems to be safe, if HTML code has something like <img src="x" onerror="alert(document.cookie)"/> for the title, and a user pastes it somewhere, this alerts the document cookie...
So, I guess we need sanitizing for the HTML generation. I am open to other suggestions, though.
What are you going to use for sanitizing input?

[neeraj-2]

Thanks, @obulat for the information. Trying some approach for the same. Will inform you asap.

[Cronus1007]

@obulat Shall I take over this issue if @neeraj-2 is not working upon the issue.

[neeraj-2]

@obulat Shall I take over this issue if @neeraj-2 is not working upon the issue.

@Cronus1007, I am on it. Will give an update soon.

[Cronus1007]

@neeraj-2 If you require any help let me know. :)

[obulat]

@zackkrida , we need your input on this issue :)

We have a form with two URLs and two text inputs for the Name of the Creator and Work Title. We use these data to create Rich Text and HTML string with attribution. What should we do to improve security on them?

From my understanding (after some testing and research) the URLs are sanitized, and even if users input javascript into them, the JS just turns into text and is harmless. Is it really, though?
The only problem I could find has to do with the HTML string. When the user adds something like <img src="x" onerror="alert(document.cookie)"/> into the text input, and pastes the HTML string to their website, we can see an alert on their website. So, I guess the embedded HTML could be exploited. What's the best thing to do here?

[zackkrida]

I am going to close this issue. From a security perspective, we have a single user entering input and then using the output on their own site. Because they're both the creator and consumer of this input text, I don't think we need to worry about them inputting and then outputting malicious code for use on their own sites.