Skip to content

XSS hardening #64

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 5 commits into from
Aug 22, 2023
Merged

XSS hardening #64

merged 5 commits into from
Aug 22, 2023

Conversation

FoamyGuy
Copy link
Contributor

The current server implementation and basic form_data example here: https://github.com/adafruit/Adafruit_CircuitPython_HTTPServer/blob/main/examples/httpserver_form_data.py are susceptible to XSS by submitting things like <script>alert('xss');</script> to the input box which then gets reflected back onto the page returned in the response and executed by the client browser.

By implementing this inside of FormData (super class) it means that by default user code will only have access to encoded values from the user rather than the actual raw values submitted. In some cases that might be problematic, for instance if the values aren't meant to be output within HTML, or if the intention is to allow the user to submit HTML content. In such cases the user could pass False to disable the encoding and implement their own prevention measures.

This PR does mitigate the risk with the provided example, however it is not all encompassing. There are still ways to write handlers and webpages that are vulnerable to other types of XSS like payloads injected into JS or CSS code instead of HTML. It might be good to ultimately add similar default prevention measures for JS and CSS contexts.

Another potential idea is to eventually add a section within the examples with clearly labeled and documented "Examples of what NOT to do" that illustrate the insecurely implemented handlers and explain what risks they pose.

@michalpokusa I'm curious if you have any thoughts or ideas around this or any other potential "guardrails" against XSS within the server.

michalpokusa
michalpokusa reviewed Jul 30, 2023
View reviewed changes
Copy link
Contributor

@michalpokusa michalpokusa left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice, it is always good to increase default security.

When it comes to the "What NOT to do examples" section I can work on that during this week.

@FoamyGuy
Copy link
Contributor Author

Thank you!

Latest commits have integrated all of the changes from feedback.

@FoamyGuy FoamyGuy merged commit be65668 into adafruit:main Aug 22, 2023
adafruit-adabot added a commit to adafruit/Adafruit_CircuitPython_Bundle that referenced this pull request Aug 23, 2023
@adafruit-adabot
Automated update by Adabot (adafruit/adabot@63c51c1)
3494718 
Updating https://github.com/adafruit/Adafruit_CircuitPython_HTTPServer to 4.3.0 from 4.2.0:
  > Merge pull request adafruit/Adafruit_CircuitPython_HTTPServer#64 from FoamyGuy/xss_hardening

Updating https://github.com/adafruit/Adafruit_CircuitPython_Bundle/circuitpython_library_list.md to NA from NA:
  > Updated download stats for the libraries
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@michalpokusa michalpokusa michalpokusa left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@FoamyGuy @michalpokusa