Mitigation of Mutation XSS attacks [WIP] [fixes #88]

vojtech-dobes · May 24, 2014 · 90199b0 · 90199b0 · xeno6696 · Mar 20, 2016
1 parent 1a80224
commit 90199b0
Showing 1 changed file with 41 additions and 0 deletions.
diff --git a/nette.ajax.js b/nette.ajax.js
@@ -441,12 +441,53 @@ $.nette.ext('snippets', {
 		} else if (!back && $el.is('[data-ajax-prepend]')) {
 			$el.prepend(html);
 		} else {
+			this.setHtml($el, html);
+		}
+	},
+	setHtml: function ($el, html) {
+		if (this.isMXSSMitigationPossible()) {
+			this.mitigateMXSS($el.get(0));
 			$el.html(html);
+		} else {
+			//  ... @todo
 		}
 	},
 	escapeSelector: function (selector) {
 		// thx to @uestla (https://github.com/uestla)
 		return selector.replace(/[\!"#\$%&'\(\)\*\+,\.\/:;<=>\?@\[\\\]\^`\{\|\}~]/g, '\\$&');
+	},
+	mitigateMXSS: function (element) {
+		var that = this;
+		if (typeof element.innerHTML === 'string') {
+			Object.defineProperty(element, 'innerHTML', {
+				get: function () { return that.changeInnerHtmlHandler(this, 'innerHTML') },
+				set: function (html) {
+					while (this.firstChild) {
+						this.removeChild(this.lastChild);
+					}
+					this.insertAdjacentHTML('afterBegin', html);
+				}
+			});
+		}
+	},
+	changeInnerHtmlHandler: function (element, type) {
+		var serializer = new XMLSerializer();
+		var domstring = '';
+		if (type === 'outerHTML') {
+			try {
+				domstring += serializer.serializeToString(element);
+			} catch(e) {}
+		} else {
+			for (var i in element.childNodes) {
+				try {
+					domstring += serializer.serializeToString(element.childNodes[i]);
+				} catch(e) {}
+			}
+		}
+		return domstring;
+	},
+	isMXSSMitigationPossible: function () {
+		// ... @todo
 	}
 });