Menu
I wonder if triple curly brackets sanitize user input within templates to be XSS safe. <script> tags won't render out, but how about other creepy XSS hacks?
Thanks in advance!
239
Its not safe, because you can still run malicious code, like this:
Template.xx.helpers({
'bad':function() {
return "<a href="#" onclick="alert('compromised');">CLICK ME PLZ!</a>";
}
});
The template
<template name="xx"> {{{bad}}} </template>
This means the user needs to click the button, but you could make it more of a sure thing by use other events such as onmouseover:
A floating div can take up all the space & use mouseovers to assure the code is run. This can be used as the return value in this example:
<div style="width:100%; height:100%; position: fixed;" onmouseover="console.log('haha');"></div>
You can also have other exploits such as changing page content via CSS (using content: or higher z-index floating divs to change the page's content.
163
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
