Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CS XSS Prevention update rule 6 JS/Node lib(s) #101

Closed
rdela opened this issue May 8, 2019 · 4 comments
Closed

CS XSS Prevention update rule 6 JS/Node lib(s) #101

rdela opened this issue May 8, 2019 · 4 comments
Assignees
@rdela
Labels
ACK_OBTAINED Issue acknowledged from core team so work can be done to fix it. UPDATE_CS Issue about the update/refactoring of a existing cheat sheet.
Milestone
Roadmap 2019

Comments

@rdela
Copy link
Contributor

rdela commented May 8, 2019

  • What update/refactoring do you want to perform?

Update JS/Node lib(s) on Cross Site Scripting Prevention rule 6.

Cross Site Scripting Prevention rule 6 links to ecto/bleach under "Other libraries that provide HTML Sanitization include: [...] JavaScript/Node.js Bleach" (Line 344).

The current (5 year-old) version, [email protected], contains 1 moderate severity vulnerability according to https://npmjs.com/advisories/47

Overview

All versions of the bleach package are vulnerable to a regular expression denial of service attack when certain types of input are passed into the sanitize function.

Remediation

The bleach package is not currently maintained, and has not seen an update since 2014.

To mitigate this issue, it is necessary to use an alternative module that is actively maintained and provides similar functionality.

The advisory then links to a fairly unhelpful search for "html sanitizer" on npmjs.com.

There is an open issue from 2016 at ecto/bleach#12.

My cursory research into currently maintained libraries yielded two options:

  1. cure53/DOMPurify, a DOM-only library that requires JSDOM on Node.js
  2. punkave/sanitize-html, a Node.js-only library that depends on htmlparser2

If OWASP contributors find both libraries adequate and satisfactory, my suggestion for the revision would be to split "JavaScript/Node.js Bleach" (Line 344) into two lines/list items like so:

If desired, I am willing to open a PR for the above suggested revision or whatever contributors advise. Thoughts?
@rdela rdela added ACK_WAITING Issue waiting acknowledgement from core team before to start the work to fix it. HELP_WANTED Issue for which help is wanted to do the job. UPDATE_CS Issue about the update/refactoring of a existing cheat sheet. labels May 8, 2019
@jmanico
Copy link
Member

jmanico commented May 8, 2019 via email
edited by righettod
Loading

@righettod
Copy link
Member

Thank you very much for your proposal that is totally right. Please, go ahead with your PR and ping us if you need help 😃

@righettod righettod added ACK_OBTAINED Issue acknowledged from core team so work can be done to fix it. and removed ACK_WAITING Issue waiting acknowledgement from core team before to start the work to fix it. HELP_WANTED Issue for which help is wanted to do the job. labels May 9, 2019
@righettod righettod added this to the Roadmap 2019 milestone May 9, 2019
@rdela rdela mentioned this issue May 9, 2019
Merged
@rdela
Copy link
Contributor Author

rdela commented May 9, 2019

Linked to PR #103 XSS CS Update

@mackowski
Copy link
Collaborator

One more time thank you for your contribution 👍

@OWASP OWASP deleted a comment from jmanico Jun 17, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rdela rdela

Labels
ACK_OBTAINED Issue acknowledged from core team so work can be done to fix it. UPDATE_CS Issue about the update/refactoring of a existing cheat sheet.
Projects
None yet
Milestone
Roadmap 2019
Development

No branches or pull requests
4 participants
@rdela @jmanico @righettod @mackowski