8

I have read the somewhat related question div contenteditable, XSS, but its answers do not highlight much about the XSS saftey of contenteditable. In particular with regards to accidental (as compared to intential cross-site-scripting). I am, of course, aware that I should sanitize user input server-side.

TL.DR.: Can I be certain that the user does not stand risk to introduce some external script(i.e. via data pasted from the clipboard) via a page Element being set contenteditable? Does the spec make certain that any markup pasted to the contenteditable is sanitized before being inserted into the DOM?

I have noticed that on two major Browsers I tested, Chromium/Chrome and Firefox, that it seems to be impossible to accidentally insert an active Elements into the contenteditable tag. An example for such an accedental insertion I would have imagined to be for instance:

  • user copies a Selection of DOM Elements from one webpage and inserts them into the contenteditable Element on another site.
  • user does (on linux command line) echo "<b onclick='alert("XSS");'>click me</b>" | xclip -t text/html -selection "clipboard" and pastes that into the contenteditable.

An active element would be anything like:

  • html markup containing a <script>
  • html markup containing elements with inline handlers such as onclick="alert(\"XSS\");"
  • html markup containing javascript hrefs such as <a href="javascript:alert(\"XSS\")"> click me </a>

Now my question is, seeing that contenteditable seems somewhat safe from having any normal XSS vector being pasted into, if that is by design?

I have read some specs/refs/whatever where it does neither explicitly mention that contenteditable should prevent any active Element being inserted into the DOM of the page, neither that it would be allowed. This leaves me in doubt if I should use the contenteditable feature, as I do not want to risk some external javascript being inserted into contenteditable. Answer this XSS safety of contenteditable is the core of this question.

Update In contrast to the contenteditable attribute the similar feature documents designMode, seems to be specific (see https://www.w3.org/TR/2008/WD-html5-20080610/web-browsers.html#designModeScriptBlocked) about the javascript being disabled (hence XSS prevented).

UPDATE 2 The most recent reference/spec cited on MDN is https://html.spec.whatwg.org/multipage/interaction.html#contenteditable which is oddly indifferent about any guarantees that contenteditable provides to not introduce malicous javascript via paste.

humanityANDpeace
  • 4,350
  • 3
  • 37
  • 63
  • 4
    As long as you sanitize the input on the server side I don't see why someone pasting a JavaScript in a `contenteditable` is even an issue. Anyone can open up the Dev Tools and execute any JavaScript on the page that might be sufficient enough for an XSS attack if the server-side isn't set-up to prevent that. – Deepak Kamat Dec 27 '17 at 16:40
  • 1
    @DeepakKamat I imagine that (assuming the user is logged in and has certain priveledges as for instance to delete content), the n I would think it problematic if pasting a malicious script would inherit this priveledges. What would you say? Furthermore i assume that XSS safety also covers the safety of the users data (such as his input data) a malicious script , if possible via `contenteditable` might then xhr/send the stuff to malicious third parties. Sure its nice that the server is uncompromised, but in my understanding also XSS that attacks the user account/data is bad, hence my concern – humanityANDpeace Dec 27 '17 at 16:45
  • Any reason why you're reading specs from 9 and a half years ago instead of current specs? – BoltClock Dec 27 '17 at 17:16
  • @BoltClock If there is a newer spec, I must have missed it and you are making a valid point. Besides the spec I cited is still the first my search engine provides me. I have also found https://w3c.github.io/editing/contentEditable.html. Just in case are you able to point to the updated specs, if they exist? – humanityANDpeace Dec 27 '17 at 17:23
  • https://www.w3.org/TR/html5/editing.html#making-document-regions-editable-the-contenteditable-content-attribute – BoltClock Dec 27 '17 at 17:28

1 Answers1

0

There is no standard which browsers must adhere to, so each browser will have its own implementation for handling user input. And if there is a way, you can be sure users will figure out how to do it (older browsers are usually the most susceptible). It's up to you to sanitize the user's input, whether it be from typing, pasting, etc. (I had to do this for a project, there's no way you can rely on it "just working").

As for designMode, the part you linked:

When a script is to be executed in a script execution context in which scripting is disabled, the script must do nothing and return nothing (a void return value).

Thus, for instance, enabling designMode will disable any event handler attributes, event listeners, timeouts, etc, that were set by scripts in the document.

This would make it appear designMode makes you "safe", but remember, specifications evolved over time, so without going back and testing all of the various browsers (or at least the ones your users have), you can never be sure.

Community
  • 1
  • 1
skyline3000
  • 7,639
  • 2
  • 24
  • 33
  • I have tested the "safe", via the `document.designMode="on"` and it did not behave as expected. https://stackoverflow.com/q/47996078/1711186 – humanityANDpeace Dec 27 '17 at 17:25
  • Gmail uses a `contenteditable` in its html5 user interface, so I cannot imagine any potential XSS or HTMLInjection https://davidyat.es/2016/02/16/contenteditable/ issue are left to the browser complete. To me it seems completely logical that any browser going so far as implementing contenteditable would implement it in a way that pasting content does not risk a data breach. The answer that there is no standard is either shocking or false, or risky :) – humanityANDpeace Dec 27 '17 at 17:47
  • I would say scary!! But believe me, I browsed for hours through documentation reading w3 specs on form elements, input events, & contenteditable only to conclude it is implementation specific. http://www.w3.org/TR/#w3c_all I worked on an HTML-based mail system similar to GMail using contentEditable and we coudln't use designMode since we wanted our own JS to still run inside. contentEditable is really no different than or – skyline3000 Dec 27 '17 at 18:20
  • The only place I found on W3.org that mentions cross-site scripting is on the wiki page: https://www.w3.org/Security/wiki/Cross_Site_Attacks and it lists XSS as the responsibility of the page owner, though this is user-generated and last updated 2009 so take it for what it's worth. – skyline3000 Dec 27 '17 at 18:22
  • nice information. One difference of course between / with regards to contentEditable is that the paste into the former, cannot lead to any XSS on the page itself, while the other (provided that the pasted HTML is rendered requires the user agent to sanitize (as does firefox at this point https://dxr.mozilla.org/mozilla-central/source/editor/libeditor/HTMLEditorDataTransfer.cpp#221 for instace). if you pasted any malicious copied html markup into a textarea you run no risk for XSS in the context of the loaded page, as you would with contenteditable. – humanityANDpeace Dec 27 '17 at 19:26