During a security review of the eOffice codebase, I noticed several instances where innerHTML is used to render data, particularly in the note-taking and document modules. While much of this data is local, the "Import" features (e.g., in enotes.html) could potentially allow for Stored Cross-Site Scripting (XSS) if a user is tricked into importing a malicious JSON file.
Findings
- innerHTML usage: Multiple files like
browser/econnect.html, extensions/browser/apps/eosim-play.html, and browser/enotes.html use innerHTML to inject dynamic content.
- Data Import: The
importNotes function in browser/enotes.html parses external JSON files and immediately triggers a re-render of the UI using these potentially unsafe strings.
Impact
If an attacker provides a crafted .json backup file containing malicious scripts, and a user imports it, the script could execute in the context of the eOffice application, potentially leaking local storage data or performing actions on behalf of the user.
Recommendation
- Sanitization: Use a library like DOMPurify to sanitize all HTML strings before passing them to
innerHTML.
- Safer Alternatives: Where possible, switch to
textContent or innerText for non-HTML data.
- Validation: Implement stricter schema validation for imported files to ensure only expected fields and safe content are processed.
I'd be happy to discuss this further or help implement a sanitization layer if you think this is a valid concern for the project.
During a security review of the eOffice codebase, I noticed several instances where
innerHTMLis used to render data, particularly in the note-taking and document modules. While much of this data is local, the "Import" features (e.g., inenotes.html) could potentially allow for Stored Cross-Site Scripting (XSS) if a user is tricked into importing a malicious JSON file.Findings
browser/econnect.html,extensions/browser/apps/eosim-play.html, andbrowser/enotes.htmluseinnerHTMLto inject dynamic content.importNotesfunction inbrowser/enotes.htmlparses external JSON files and immediately triggers a re-render of the UI using these potentially unsafe strings.Impact
If an attacker provides a crafted
.jsonbackup file containing malicious scripts, and a user imports it, the script could execute in the context of the eOffice application, potentially leaking local storage data or performing actions on behalf of the user.Recommendation
innerHTML.textContentorinnerTextfor non-HTML data.I'd be happy to discuss this further or help implement a sanitization layer if you think this is a valid concern for the project.