From f22df72b7420d411a88efd7dd4cc5c6670d29660 Mon Sep 17 00:00:00 2001 From: cleo-demay Date: Mon, 30 Jan 2023 17:09:33 +0100 Subject: [PATCH 1/4] Modifications partie 1 --- pw/pw-xss/client/src/app/home/home.html | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/pw/pw-xss/client/src/app/home/home.html b/pw/pw-xss/client/src/app/home/home.html index 08d6cdbe..8d9e14df 100644 --- a/pw/pw-xss/client/src/app/home/home.html +++ b/pw/pw-xss/client/src/app/home/home.html @@ -22,9 +22,9 @@

{{message}}

- {{currentNew.author}} - {{currentNew.category}} - {{currentNew.content}} + + > + From 3a8ecd0bb005afe3482250ade5d038a0a3526f65 Mon Sep 17 00:00:00 2001 From: Corentin-Dessenne Date: Mon, 30 Jan 2023 17:09:58 +0100 Subject: [PATCH 2/4] Part 2 of XSS pw. Ready for PR --- pw/pw-xss/client/src/app/home/home.html | 4 ++-- pw/pw-xss/client/src/app/home/home.ts | 10 +++++----- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/pw/pw-xss/client/src/app/home/home.html b/pw/pw-xss/client/src/app/home/home.html index 08d6cdbe..5c9880e7 100644 --- a/pw/pw-xss/client/src/app/home/home.html +++ b/pw/pw-xss/client/src/app/home/home.html @@ -1,5 +1,5 @@
-

{{message}}

+

{{message}}

@@ -41,7 +41,7 @@

{{message}}

And the news of the day is...

-

{{newsOfTheDay.content}} from {{newsOfTheDay.author}}

+

from {{newsOfTheDay.author}}

\ No newline at end of file diff --git a/pw/pw-xss/client/src/app/home/home.ts b/pw/pw-xss/client/src/app/home/home.ts index 189f38e3..35eec39c 100644 --- a/pw/pw-xss/client/src/app/home/home.ts +++ b/pw/pw-xss/client/src/app/home/home.ts @@ -3,7 +3,7 @@ import { Observable } from 'rxjs'; import { NewsService } from '../services/newsService'; import { News } from '../beans/news'; -// import {DomSanitizer} from '@angular/platform-browser' +import {DomSanitizer} from '@angular/platform-browser' @Component({ selector: 'home', @@ -15,17 +15,17 @@ export class Home implements OnInit { news: News[] = []; newsOfTheDay: News = {}; nextNews: News = {}; - //trustedUrl: string; + trustedUrl: string = ''; constructor( private newsService: NewsService, - // private sanitizer: DomSanitizer + private sanitizer: DomSanitizer ) {} ngOnInit() { // javascript: URLs are dangerous if attacker controlled. // Angular sanitizes them in data binding, but you can // explicitly tell Angular to trust this value: - //this.trustedUrl = this.sanitizer.bypassSecurityTrustUrl('javascript:alert("Don\'t forget to add a comment in the bottom please!")'); + this.trustedUrl = this.sanitizer.bypassSecurityTrustUrl('javascript:alert("Don\'t forget to add a comment in the bottom please!")'); this.updateNews(); } @@ -38,7 +38,7 @@ export class Home implements OnInit { this.newsOfTheDay = news; // uncomment the line below only for demo purpose, don't do this in a real situation // if you want to force a given scripting which you trust and is under you strict control (never from user input), use DomSanitizer#bypassSecurityTrustHtml(String) method - //this.newsOfTheDay.content = this.sanitizer.bypassSecurityTrustHtml(this.newsOfTheDay.content); + this.newsOfTheDay.content = this.sanitizer.bypassSecurityTrustHtml(''); }); } From b40db37be7d9025acb4086346fa445695360ea71 Mon Sep 17 00:00:00 2001 From: Corentin Dessenne Date: Mon, 13 Feb 2023 15:33:03 +0100 Subject: [PATCH 3/4] Update home.ts --- pw/pw-xss/client/src/app/home/home.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pw/pw-xss/client/src/app/home/home.ts b/pw/pw-xss/client/src/app/home/home.ts index 35eec39c..9eac11cc 100644 --- a/pw/pw-xss/client/src/app/home/home.ts +++ b/pw/pw-xss/client/src/app/home/home.ts @@ -25,7 +25,7 @@ export class Home implements OnInit { // javascript: URLs are dangerous if attacker controlled. // Angular sanitizes them in data binding, but you can // explicitly tell Angular to trust this value: - this.trustedUrl = this.sanitizer.bypassSecurityTrustUrl('javascript:alert("Don\'t forget to add a comment in the bottom please!")'); + this.trustedUrl = this.sanitizer.bypassSecurityTrustUrl(''); this.updateNews(); } From e351be717bd17b72ebce7f800ae39628ac2cab47 Mon Sep 17 00:00:00 2001 From: Corentin Dessenne Date: Mon, 13 Feb 2023 17:05:05 +0100 Subject: [PATCH 4/4] Update home.ts (last time i promise) --- pw/pw-xss/client/src/app/home/home.ts | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pw/pw-xss/client/src/app/home/home.ts b/pw/pw-xss/client/src/app/home/home.ts index 9eac11cc..19806b63 100644 --- a/pw/pw-xss/client/src/app/home/home.ts +++ b/pw/pw-xss/client/src/app/home/home.ts @@ -25,7 +25,7 @@ export class Home implements OnInit { // javascript: URLs are dangerous if attacker controlled. // Angular sanitizes them in data binding, but you can // explicitly tell Angular to trust this value: - this.trustedUrl = this.sanitizer.bypassSecurityTrustUrl(''); + this.trustedUrl = this.sanitizer.bypassSecurityTrustUrl('javascript:alert("Don\'t forget to add a comment in the bottom please!")'); this.updateNews(); } @@ -38,7 +38,7 @@ export class Home implements OnInit { this.newsOfTheDay = news; // uncomment the line below only for demo purpose, don't do this in a real situation // if you want to force a given scripting which you trust and is under you strict control (never from user input), use DomSanitizer#bypassSecurityTrustHtml(String) method - this.newsOfTheDay.content = this.sanitizer.bypassSecurityTrustHtml(''); + this.newsOfTheDay.content = this.sanitizer.bypassSecurityTrustHtml(''); }); }
Latest news from Web & Mobile Framework Team