-
-
Notifications
You must be signed in to change notification settings - Fork 777
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ER: Potential XSS Vulnerability in wins.js #5654
Comments
This comment was marked as outdated.
This comment was marked as outdated.
Finally regarding your suggestion to load wins data at build time rather than on page load, I will discuss that with Bonnie to see if she is interested in pursuing that. Thanks again for your contributions; we are very happy that you are on the website team! |
@jaasonw Regarding your comment
I wonder if you could indicate which pages load data on page load. I checked wins.js and project.js and both load data at build time using a liquid assign tag. |
@roslynwythe Sorry, I should clarify that by "load data" I meant the actual creation of DOM elements based on the data. Currently, data is retrieved when the visitor loads the page, and client-side javascript is used to generate the DOM elements. This becomes apparent when Javascript is disabled when visiting the website. When Javascript is disabled, the following pages fail to render properly: The events page does not display meeting times |
@jaasonw Thanks for the explanation. We are open to the idea of using safer DOM manipulation methods like But it sounds like alternatively, we could completely eliminate the JS that generates the DOM, instead using Jekyll to build the complete HTML at build time. And I assume that by using Could you offer pros and cons for that alternative? Or should we create an issue to explore those pros and cons? We really appreciate your contributions and look forward to working with you further on these issues. |
Make an issue to do option 1 so that we reduce vulnerability immediately and silence the warning. Make an epic that looks into the refactoring option and identifies all the places on the site that it would be required. |
This comment was marked as outdated.
This comment was marked as outdated.
|
@roslynwythe This ER is only partially resolved, we still need to do
|
@freaky4wrld I am still confused. It looks like this issues are both addressing the change of using createElement and textContent instead of innerHTML
And I what I was saying was missing was the issue or epic to do option 2 after option was complete.
Basically, option 1 is the fast, temporary fix, option 2 is the long term solution. So can you make the issues or epics for option 2 and we can put a dependency on them of the two above issues being complete. Or is there something else I don't understand. |
@ExperimentsInHonesty the issue #6303, is the issue for the fast and temporary fix that we require for the ER
Yes we would be making those issues..... |
@freaky4wrld - Bonnie is suggesting that in addition to refactoring the use of
|
Emergent Requirement - Problem
I originally submitted this as a security advisory, but @roslynwythe said there isn't a way to convert it to an issue so I'm reposting it here
Original text:
Issue you discovered this emergent requirement in
Date discovered
10/1/2023
Did you have to do something temporarily
Who was involved
@
What happens if this is not addressed
Resources
https://developer.mozilla.org/en-US/docs/Web/API/Document/createElement
https://developer.mozilla.org/en-US/docs/Web/API/Node/textContent
https://medium.com/front-end-weekly/javascript-innerhtml-innertext-and-textcontent-b75ec895cbe3
https://jekyllrb.com/docs/datafiles/
Recommended Action Items
Potential solutions [draft]
option 1
option 2
Alternatively, I noticed a lot of the data on the website is loaded in on page load with javascript rather than at build time. Seeing as we already use Jekyll, I suggest using its built-in functionality with the strip_html filter to load data into the HTML at build time statically, as this has benefits to both page load times and accessibility benefits to visitors to the site that have javascript disabled
The text was updated successfully, but these errors were encountered: