|
17e33bc0
|
2016-11-20T12:52:54
|
|
Reduce risk of XSS (#1051)
* Skip non-own properties of env.attributes
Use `Object.keys` instead of a for-in loop to find optional attributes.
The former only grabs keys that are own properties, the latter also
includes inherit properties from `Object.prototype`.
This reduces the risk of XSS if an attacker somehow manages to
manipulate the prototype chain of the Object prototype.
* Fix root cause of XSS in autolinker plugin #1054
* command-line plugin: Safely encode attributes
If an attacker has control over the values of the attributes
"data-prompt", "data-user", or "data-host", then XSS was possible.
This fixes the issue, by encoding quotes as the `"` entity.
* show-language plugin: innerHTML -> textContent
There is no need for `innerHTML` here. At best nothing happens,
at worst XSS is possible (though the odds are negligible since
the attacker would have to control the detected language).
* toolbar plugin: innerHTML -> textContent
|
