0

In a tool I'm creating, there are several <input> and <textarea> fields that are essentially acting as glorified notepads. The only things that happen to these fields are basic editing (adding strings to the value) or copying/pasting them. Here's a snippet of one part of the tool:

HTML:

        <button onclick="auth();" class="bOwn bLight">Copy</button> <button onclick="authClear();" class="bOwn bRed">Clear</button> &nbsp;
        <input type="checkbox" id="postSCActivity" name="postSCActivity" value="Activity after Stat Change"><label for="postSCActivity">Activity after Status Change?</label><br>
        <textarea id="auth" class="textbox"></textarea><p>

JS:

function auth() {
    $("#auth").removeClass("textSelected");
    lastClickedField = "#auth";

    var  prefix = "\n\n";
    var content = $("#auth").val();
    var  suffix = "  //" + $("#opcode").val();
    var postSCActivity = "";

    if ($("#postSCActivity").prop("checked")) {
        postSCActivity = "  Additional activity follows the status change(s).";
    } else {
        postSCActivity = "  No activity follows the status change(s).";
    }

    if (content != "") {
        $("#auth").val(prefix + content + postSCActivity + suffix);
        $("#auth").select();
        document.execCommand('copy');
        $("#auth").addClass("textSelected");
        $("#auth").val(content);
    } else {
        $('#blankCopy').show();
        $("#blankButton").focus();
    }
}
    function authClear() {
        $("#auth").val("");
        $("#auth").removeClass("textSelected");
        $("#postSCActivity").prop("checked", false);
    }

For the above Javascript, the variable suffix is entered at a login screen that only accepts letters and numbers, no symbols.

At no point does anything get submitted; this is literally only a glorified notepad that automatically adds text and copies text to the clipboard. Are there any known ways to insert javascript that would run? I can't figure out anything... I tried typing out functions, but it just copies the text. I feel it's pretty solid, but knowing my luck, I'm overlooking something. I wanted to see what I could be missing, and how I can better secure the tool, if anything else has to be done.

Anthony LoPrimo
  • 148
  • 14
  • 1
    Do you mean that the user is typing JavaScript statements into the text area, and you want to execute them? Use the `eval()` function. – Barmar Aug 03 '21 at 16:37
  • If I understood what you want to achieve, you could use [`eval()`](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval)... at your own (or the user's) [risk](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval#never_use_eval!) – secan Aug 03 '21 at 16:39
  • "*how I can better secure the tool*" - what exactly are you trying to secure against? Build a [threat model](https://owasp.org/www-community/Threat_Modeling). If this is a local tool, that is only ever used by a single user, the only one the user can attack are themselves. – Bergi Aug 03 '21 at 17:41
  • @Barmar I do *not* want the user to be able to run javascript or do anything. As far as I know, my code does it, but what I want to know if anyone can find OTHER ways of making it run, based on the code I've written (let's say, is there a way, someone can use my tool to create a script that sends information to a website by writing a script in one of these textarea fields - I don't know of any realistic way to do so, but perhaps someone does and if so, how can I prevent that from happening) – Anthony LoPrimo Aug 03 '21 at 18:07
  • @secan I *don't* want people executing code, so `eval()` would absolutely not be something I'd use. I just don't know if there's any other way to run arbitrary code from what I've created so far. – Anthony LoPrimo Aug 03 '21 at 18:09
  • @Bergi I want to secure against arbitrary code. Like I recall a while back, someone was able to get very compact javascript to run from a tweet on twitter. But, if I remember correctly, that only worked once the tweet was actually posted. Since none of the typed content will ever become part of the html (only part of the textarea), I want to know if there are any other known ways to make arbitrary code run from the code I have so far. I don't know of any, and I just want to know if anyone else knows of a way to run code. If there isn't, I'm all set. – Anthony LoPrimo Aug 03 '21 at 18:11
  • Yes, you're safe against stored or reflected XSS, but there might still be a local XSS bug, and of course the user might always get tricked into self XSS. But still, what would an attacker gain by executing code in the page of your tool? – Bergi Aug 03 '21 at 21:18

1 Answers1

1

It has nothing to do with the server or a submit. Although it's a common way to exploit things. What matters is the context where you introduce user provided data.

There are two contexts - interpreting and rendering.

If an attacker can use your program to write there data into a context where that data can be interpreted when it should be rendered, then they can trick your program to execute their hack.

Take this example:

document.write('<textarea>' + userData + '</textarea>')

versus:

document.getElementById('myTextArea').value(userData)

Do you see the difference? In the first example, the information is parsed by the browser and gives the attacker the opportunity to trick the browser into executing their code. In the second part, the value(...) function expects a string and doesn't parse it - it's a string to be rendered, not interpreted. There's no ambiguity.

Regular HTML doesn't have function calls. It jumps between rendered, and interpreted, and back over and over. It's easy to trick it.

Jonathan
  • 5,736
  • 2
  • 24
  • 22