Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Convert stylesheet.innerHTML to stylesheet.innerText #8397

Merged
merged 1 commit into from
Aug 26, 2020

Conversation

LukeWood
Copy link
Contributor

@LukeWood LukeWood commented Aug 17, 2020

Browsers will interpret this the same but this protects
against attacks such as:

https://www.netsparker.com/blog/web-security/private-data-stolen-exploiting-css-injection/

Change-Id: I34062ad3562a1791ec4ea5a404acf8f459cdcef9
Signed-off-by: LukeWood lukewoodcs@gmail.com

What it does

Removes an XSS Sinks from Theia.

How to test

Should already be tested in unit tests

Review checklist

Reminder for reviewers

Browsers will interpret this the same but this protects
against attacks such as:

Change-Id: I34062ad3562a1791ec4ea5a404acf8f459cdcef9
https: //www.netsparker.com/blog/web-security/private-data-stolen-exploiting-css-injection/
Signed-off-by: LukeWood <lukewoodcs@gmail.com>
@vince-fugnitto vince-fugnitto added plug-in system issues related to the plug-in system security issues related to security labels Aug 17, 2020
Copy link
Member

@vince-fugnitto vince-fugnitto left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I verified that changing file-icon themes (contributed by plugins) still works correctly after the change.
Thank you! 👍

@vince-fugnitto
Copy link
Member

I'll merge tomorrow if there are no objections 👍

@LukeWood
Copy link
Contributor Author

Cool - thank you!

@vince-fugnitto vince-fugnitto merged commit d25a279 into eclipse-theia:master Aug 26, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
plug-in system issues related to the plug-in system security issues related to security
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants