[squeak-dev] SqueakSource possible script injection vulnerabilities

David T. Lewis lewis at mail.msen.com
Sun Jun 19 23:01:12 UTC 2022

Guidance needed from folks familiar with web security:

Tony Garnock-Jones recently pointed out (in private communication because
it was security related) that our SqueakSource servers may be vulnerable
inclusion of malicious scripts that users might include in project
descriptions text and similar user-supplied text fields. Tony and I
experimented with a couple of approaches for blocking that sort of
vulnerability. Most recently, Tony wrote an HtmlSanitizer packge
(now at http://www.squeaksource.com/HtmlSanitizer) and I included this
this on the http://squeaksource.com server to prevent injection of hostile
javaScript in project titles and scripts (see SqueakSource.sscom-dtl.1136
in the http://source.squeak.org/ss repository).

The idea here is that user-supplied strings that are held in the model
components for SqueakSource can be sanitized when accessed, such that
the resulting strings sent to a browser are cleaned of dangerous script
tags and content prior to being sent to the client browser, while still
remaining human-readable. This is working well for project titles and
descriptions on SqueakSource, and the approach can be extended to other
SqueakSource SSModel classes (maybe about a dozen accessor methods
affected, not too many).

I have little experience with web security, so I want to ask - does this
sound like a a reasonabe approach for preventing malicious scripts being
included in user-supplied data that is later rendered in someone else's
browser? Or is there perhaps some more general approach that can be used
Seaside applications to protect against malicious scripts being passed around?

@Chris, whatever comes of this discussion, we can also include it in
source.squeak.org, although this seems less of a concern because that
server is primarily used by a limited number of people who are not
likely to be interested in causing mischief.


More information about the Squeak-dev mailing list