Found a scary security problem. There's some place I'm outputting text that comes from users, and I'm rendering it as unescaped HTML. This is a problem because it essentially allows users to rewrite the code of your website.
See how the screenshot looks extremely broken? Like there's code exploded out on the page and everything? This happened because I copied the page's source code and pasted it into the text input, just to see what happens. What happens is that a piece of data that's only ever meant to be plain text rendered within a textarea
and within a p
is allowed to break outside of those and render other HTML on the page. Whenever this is possible, you've got a problem to solve.
This could be leveraged by a malicious user to entirely replace a page. Maybe they use it to spoof a legit-looking Google login page and swipe passwords? I dunno, but it's a problem.
There's some place in my code where I'm allowing unescaped HTML. I think it's where I use EJS to render a JSON object in the page's body. I do this to pass data from the server that's immediately accessible from the client. The escaping probably should be handled after being received by the server and before being saved to the database. That way I have a system that prevents untrusted stuff from persisting in the database.
This probably needs to be accounted for on the Mongo side to actually be secure, but that's not really where I wanna spend time right now.