diff options
| author | Guillaume Gomez <guillaume1.gomez@gmail.com> | 2024-01-30 11:19:13 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2024-01-30 11:19:13 +0100 |
| commit | b60707e174b4b3edef55dd09358bdd72ee75e549 (patch) | |
| tree | ced6b82bf1d9d7c3f3368e83e1db233a3d5823a7 /tests/ui/patchable-function-entry/patchable-function-entry-attribute.rs | |
| parent | d3d621b205c79a373b5c90cf993fd99972b93f2f (diff) | |
| parent | 32a0afe30c26044a62d098910464989258f0bc2e (diff) | |
| download | rust-b60707e174b4b3edef55dd09358bdd72ee75e549.tar.gz rust-b60707e174b4b3edef55dd09358bdd72ee75e549.zip | |
Rollup merge of #120250 - chadnorvell:rustdoc-xss, r=notriddle
rustdoc: Prevent JS injection from localStorage It turns out that you can execute arbitrary JavaScript on the rustdocs settings page. Here's how: 1. Open `settings.html` on a rustdocs site. 2. Set "preferred light theme" to "dark" to initialize the corresponding localStorage value. 3. Plant a payload by executing this in your browser's dev console: ``Object.keys(localStorage).forEach(key=>localStorage.setItem(key,`javascript:alert()//*/javascript:javascript:"/*'/*\`/*--></noscript></title></textarea></style></template></noembed></script><html " onmouseover=/*<svg/*/onload=alert()onload=alert()//><svg onload=alert()><svg onload=alert()>*/</style><script>alert()</script><style>`));`` 4. Refresh the page -- you should see an alert. This could be particularly dangerous if rustdocs are deployed on a domain hosting some other application. Malicious code could circumvent `same-origin` policies and do mischievous things with user data. This change ensures that only defined themes can actually be selected (arbitrary strings from localStorage will not be written to the document), and for good measure sanitizes the theme name.
Diffstat (limited to 'tests/ui/patchable-function-entry/patchable-function-entry-attribute.rs')
0 files changed, 0 insertions, 0 deletions