|
|
|
|
|
|
by mtlynch
720 days ago
|
|
|
What I mean is that imagine you have HTML like this: <div hx-disable><img src="foo.jpg"></div>
You might screw up and give the attacker a way to control the src attribute like: <div hx-disable><img src="//evil.com/bad.jpg"></div>
So, maybe unintentional behavior but still no xss.And if you let the attacker inject double quotes, then they can escape the attribute and do something like this: <div hx-disable><img src="foo" hx-delete="/account" hx-trigger="load"></div>
In this case, htmx would still prevent the xss because hx-disable causes htmx to ignore the hx-delete attribute in the child element.But if we assume the server fails to encode angle brackets too, then the attacker wins because they can terminate the hx-disable, as described in the post. <div hx-disable><img src="foo"></div><span hx-delete="/account" hx-trigger="load"></span>
But they're different levels of screwup. Accidentally letting the attacker control the value of the attribute is one level, letting them inject extra attributes is another level, and letting them inject extra HTML elements is another level.Granted, if you're screwing up output encoding, you're likely going to grant the attacker the ability to inject elements at the same time that you allow them to inject attributes, but the defender has a bit more protection if they disallow or encode angle brackets in user input. |
|
|
These are ultimately the same problem. "Letting" is the wrong word here—nobody intends to let an XSS happen. These are two scenarios I've encountered in my own work:
- You're doing custom rendering, like markdown, and the output isn't exhaustively sanitized
- You used triple braces in Handlebars (or the unescaped output syntax of your favorite templating language) and the code gets reused for something unrelated that shouldn't be using unescaped output.
"Screwing up output encoding" is an alarmingly common vulnerability. XSS is arguably one of the most (if not the most) common security vulnerability ever. That's not to say it's a problem with HTMX, but the CSP exists specifically for this reason and HTMX essentially acts as an interpreter that can run arbitrary instructions. It's definitionally a way to bypass the CSP in the face of an XSS where a traditional attack would have been otherwise blocked by the CSP.