[#34472] - [4.0] JS files are full of XSS
- Fixed in Code Base
- 13 Jun 2021
- Medium
- Build: 4.0-dev
- # 34472
- Diff
- dgrammatiko:—JText—4.0-dev
User tests: Successful: Unsuccessful:
Pull Request for Issue # .
THIS IS RELEASE BLOCKER FIXES ~90 XSS
Summary of Changes
- Replace all the
Joomla.JTextinstances withJoomla.Text(JText is a proxy to Text) - Wrap all the innerHTML with
Joomla.sanitize()
Testing Instructions
Basically, review that the 2 things don't have any typos and move around the backend to confirm that nothing is broken
Actual result BEFORE applying this Pull Request
XSS vulnerabilities
Expected result AFTER applying this Pull Request
No XSS
Documentation Changes Required
Don't use innerHTML or if there's no way around it use the sanitiser
| Status | New | ⇒ | Pending |
joomla-cms-bot
- | Category | ⇒ | JavaScript Repository NPM Change |
So I can close the three issues I opened?
If this amount of changes is ok then yes, if not, I guess, someone has to split this PR into multiple PRs and you will have to wait for that
For me its fine - closing those issues now
Do the following need changing?
administrator\components\com_media\resources\scripts\app\Notifications.es6.js
39,33: [options.type]: [Joomla.JText._(message)],
administrator\components\com_media\resources\scripts\plugins\translate.es6.js
7,30: translate: (key) => Joomla.JText._(key, key),
build\media_source\system\js\core.es6.js
223,40: * Joomla.loadOptions({'joomla.jtext': null});
257,52: const newStrings = Joomla.getOptions('joomla.jtext');
262,38: Joomla.loadOptions({ 'joomla.jtext': null });
287,38: * For B/C we still support Joomla.JText
293,10: Joomla.JText = Joomla.Text;
installation\template\js\setup.js
93,49: Joomla.renderMessages({'error': [Joomla.JText.('INSTL_DATABASE_RESPONSE_ERROR')]});
114,42: Joomla.renderMessages([['', Joomla.JText.('JLIB_DATABASE_ERROR_DATABASE_CONNECT', 'A Database error occurred.')]]);
installation\template\js\template.js
183,51: Joomla.renderMessages({'error': [Joomla.JText.('INSTL_DATABASE_RESPONSE_ERROR')]});
207,44: Joomla.renderMessages([['', Joomla.JText.('JLIB_DATABASE_ERROR_DATABASE_CONNECT', 'A Database error occurred.')]]);
| Labels |
Added:
NPM Resource Changed
?
|
||
| Title |
|
||||||
Also what about the instances of inline scripts that use JText?
Also what about the instances of inline scripts that use JText?
Basically, the core JS just followed the PHP changes (eg using the namespaced Text instead of JText) but both PHP and JS will still be ok with the old notation, it's more about the consistency
What I meant is that the xss potential is still present in the inline scripts that are created in the php files.
example administrator\components\com_config\src\Field\FiltersField.php
What I meant is that the xss potential is still present in the inline scripts that are created in the php files.
Yes, of course, those needs patching as well but honestly it makes sense to always treat JS as static assets now that HTTP3 is a reality...
PS, I'll try to do another PR for the inline scripts
now that HTTP3 is a reality...
only if you are using cloudflare atm
only if you are using cloudflare atm
I was referring to browsers support (all support H3 only Safari is still behind a flag)
| Category | JavaScript Repository NPM Change | ⇒ | Administration com_config JavaScript com_media NPM Change Repository |
I have tested this item
I checked for typos and checked as many backend options for errors as possible.
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/34472.
Go to System >Install > Extensions > Install from Web.
The logo spins indefinitely.
Uncaught TypeError: document.getElementById(...) is null client.js:90:22
onSuccess media/plg_installer_webinstaller/js/client.js?9319e6d9dbbaab07686e2a2c8beb031b:90
onreadystatechange media/system/js/core.js?9319e6d9dbbaab07686e2a2c8beb031b:708
request media/system/js/core.js?9319e6d9dbbaab07686e2a2c8beb031b:699
loadweb media/plg_installer_webinstaller/js/client.js?9319e6d9dbbaab07686e2a2c8beb031b:73
loadweb media/plg_installer_webinstaller/js/client.js?9319e6d9dbbaab07686e2a2c8beb031b:72
initialise media/plg_installer_webinstaller/js/client.js?9319e6d9dbbaab07686e2a2c8beb031b:40
initialiser media/plg_installer_webinstaller/js/client.js?9319e6d9dbbaab07686e2a2c8beb031b:411
setTimeout handler* media/plg_installer_webinstaller/js/client.js?9319e6d9dbbaab07686e2a2c8beb031b:426
EventListener.handleEvent* media/plg_installer_webinstaller/js/client.js?9319e6d9dbbaab07686e2a2c8beb031b:390
<anonymous> media/plg_installer_webinstaller/js/client.js?9319e6d9dbbaab07686e2a2c8beb031b:428
| Labels |
Added:
?
|
||
| Labels |
Added:
?
Removed: ? |
||
| Labels |
Added:
?
Removed: ? |
||
I have tested this item
Thank you!
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/34472.
I have tested this item
Moved around the backend to confirm that nothing is broken as far as i saw.
Firefox, macOS.
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/34472.
| Status | Pending | ⇒ | Ready to Commit |
RTC
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/34472.
| Labels |
Added:
?
?
Removed: ? |
||
@RickR2H @Quy @sandramay0905 Could you test again? Thanks in advance.
| Status | Ready to Commit | ⇒ | Pending |
Back to pending.
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/34472.
| Status | Pending | ⇒ | Fixed in Code Base |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2021-06-13 22:47:08 |
| Closed_By | ⇒ | wilsonge | |
| Labels |
Added:
?
Removed: ? ? |
||
The last two things are undoing changes. So I'm happy with the original tests. Thanks guys!
So I can close the three issues I opened?