From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) by lore.proxmox.com (Postfix) with ESMTPS id 3C2A01FF396 for ; Thu, 23 May 2024 11:41:26 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 6D3101C70D; Thu, 23 May 2024 11:41:45 +0200 (CEST) Date: Thu, 23 May 2024 11:41:41 +0200 From: Gabriel Goller To: Thomas Lamprecht Message-ID: <20240523094141.y7r2ywsenuolmmhe@luna.proxmox.com> References: <20240522131950.247728-1-g.goller@proxmox.com> <20240522131950.247728-3-g.goller@proxmox.com> <9d90baf0-5062-4c95-a9ce-739d4542751f@proxmox.com> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <9d90baf0-5062-4c95-a9ce-739d4542751f@proxmox.com> X-SPAM-LEVEL: Spam detection results: 0 AWL -0.070 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Subject: Re: [pbs-devel] [PATCH proxmox-backup 2/4] ui: show consent banner before login X-BeenThere: pbs-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox Backup Server development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Proxmox Backup Server development discussion Cc: Proxmox Backup Server development discussion Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="us-ascii"; Format="flowed" Errors-To: pbs-devel-bounces@lists.proxmox.com Sender: "pbs-devel" On 22.05.2024 17:21, Thomas Lamprecht wrote: >Am 22/05/2024 um 15:19 schrieb Gabriel Goller: >> diff --git a/www/index.hbs b/www/index.hbs >> index 824268e3..8a065a94 100644 >> --- a/www/index.hbs >> +++ b/www/index.hbs >> @@ -38,6 +38,7 @@ >> UserName: "{{ UserName }}", >> defaultLang: "{{ language }}", >> CSRFPreventionToken: "{{ CSRFPreventionToken }}", >> + consentText: `{{ consentText }}`, > >My knowledge about handlebars template and our integration of them is a bit >rusty, but are we sure that above does not allow code injection that can >alter the UI in some odd way, less an issue for users but might allow easily >to replace our product trademarks and other barriers that ensure that our >product stay economically viable without having to modify the code? Yes it does. For example if I paste this line into consent.txt: ${alert(1)} it gets executed and you get the alert window. BUT: I just discussed this a bit with Max and we found a solution: Using double quotes! Handlebars per default escapes some characters on the server-side [0], namely '"', '<' and '>'. This makes it impossible to escape this string (As you can't get "outside" of the string without using '"'): consentText: "{{ consentText }}", To allow newlines in the double quotes, we just need to escape them again, as they won't work out the box as with backticks. With my limited knowledge of XSS Injections, I think this looks quite good now :) [0]: https://github.com/sunng87/handlebars-rust/blob/1c92d492a644a563ec3bd4699b6427c86bb4eae9/src/support.rs#L43 _______________________________________________ pbs-devel mailing list pbs-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel