2

In the Neocities editor, it seems possible to input vulnerable text and this will run in the browser (like the onload alert seen in the image below). Is there any security Neocities takes to sanitize user-generated pages and address vulnerabilities?

Neocities editor

amatur
  • 317
  • 2
  • 11

1 Answers1

0

If sites are loaded from separate domains then they can't read the data from each other so the user site content can be loaded from separate domains from each other and separate from the main account pages.

You can control the JavaScript on your own site, but if you can't use that to run in the context of a different site, then it isn't a vulnerability.

fgb
  • 18,439
  • 2
  • 38
  • 52
  • Thanks so much for the response @fgb. Can you elaborate on this? I don't understand what's being described with "sites loading from separate domains" and "if you can't use that to run in the context of a different site." With something like the onload vulnerability shown above, wouldn't that make it possible to run scripts from a different site or do something malicious on the client side? – amatur Dec 31 '21 at 09:08
  • Usually XSS would be used to read sensitive data from cookies or local session storage. But code from `site1.neocities.org` can't read cookies from `site2.neocities.org`. The owner of the site1 can run JavaScript on any client that visits the page but if it can only read cookies of site1, there's nothing it can do. – fgb Dec 31 '21 at 10:26
  • A XSS vulnerability would be if someone other that the owner of `site1.neocities.org` could change the code of that site that is sent to a different user. – fgb Dec 31 '21 at 10:29
  • Aha so perhaps I titled the question poorly — maybe it doesn't have to do with XSS. If the owner of site1 (which could be anybody on the Internet) can run Javascript on any client that visits the page, that's a vulnerability as well right? And if so, what are the ways to protect users from malicious Javascript from site1? Is there any sanitizing that neocities does to prevent malicious Javascript on site1? – amatur Jan 01 '22 at 08:28
  • @amatur Running JavaScript by itself isn't a vulnerability. Most sites can already run JavaScript. If it's allowed at all there's not any reliable way of telling whether it's malicious. It's up to the browser to run it safely and limit access to anything sensitive. – fgb Jan 01 '22 at 10:43