Boostnote: A middle ground between enabling JS on preview and preventing XSS attack.

Created on 7 Mar 2018  路  6Comments  路  Source: BoostIO/Boostnote

There are lots of feedback.
Someone want to make it possible to use JS on the markdown preview.
But, some other people want strict sanitizing for security.

I'm actually agree with using JS should be fine. The only attack vector is writing attack code on the markdown. I think our most users are developer, so they can prevent the attack by theirselves.

But, Electron has too much power. It can access and manipulate filesystem and shell.

So, I think we should hosting the app on electron via http.(It means making electron main processor as a web server. If we need ipc, we can exploit websocket.) So, all local images, starting with file://~~, and electron instance won't be able to access. And, giving an option to sanitize HTML strictly should be enough.

I believe this should be a nice point of compromise. How do you think guys?

discussion help wanted
Source
picture Rokt33r
2

Most helpful comment

I think our most users are developer, so they can prevent the attack by theirselves.

This is not true. I am a developer, and I want to share my notes with all my devices. So it doesn't matter how smart I am. If I use Dropbox, OwnCloud or SkyDrive, I am vulnerable to their security. And a lot of services by competent developers have already been compromised to a smaller or bigger extend in the past.

So, I think we should hosting the app on electron via http.

What does that entail? Will the notes be stored natively or remotely

I think it would be best to be __secure by default__ (limited set of safe html tags) and allow to __opt-in to insecure features__ (broad set of tags and dangerous attributes) with a clear warning.

For example, an option in the app settings like so:

__Options__

:white_medium_small_square: :warning: Allow dangerous html tags in notes

When enabling, a modal pops up, where you have to confirm:

__Dangerous tags__

:warning: Enabling html also enables anyone with access to any of your devices or synced folders to prepare a note that takes over _all_ your connected computers.

:white_circle: I understand the implications and want to enable dangerous tags anyway
:radio_button: Nevermind, keep me safe!

picture Redsandro on 9 Mar 2018
👍4

All 6 comments

I think our most users are developer, so they can prevent the attack by theirselves.

This is not true. I am a developer, and I want to share my notes with all my devices. So it doesn't matter how smart I am. If I use Dropbox, OwnCloud or SkyDrive, I am vulnerable to their security. And a lot of services by competent developers have already been compromised to a smaller or bigger extend in the past.

So, I think we should hosting the app on electron via http.

What does that entail? Will the notes be stored natively or remotely

I think it would be best to be __secure by default__ (limited set of safe html tags) and allow to __opt-in to insecure features__ (broad set of tags and dangerous attributes) with a clear warning.

For example, an option in the app settings like so:

__Options__

:white_medium_small_square: :warning: Allow dangerous html tags in notes

When enabling, a modal pops up, where you have to confirm:

__Dangerous tags__

:warning: Enabling html also enables anyone with access to any of your devices or synced folders to prepare a note that takes over _all_ your connected computers.

:white_circle: I understand the implications and want to enable dangerous tags anyway
:radio_button: Nevermind, keep me safe!

Redsandro picture Redsandro on 9 Mar 2018
👍4

f I use Dropbox, OwnCloud or SkyDrive, I am vulnerable to their security.

Hmm, I didn't notice that. Good point.

What does that entail? Will the notes be stored natively or remotely

As long as I know, if the URL of BrowserWindow is starting from http://~~, global objects of Node.js, like require, and the local images are not available. So, I thought it should be enough.
So, attackers could steal some rendered notes, but they couldn't access local filesystem and shell.

I think it would be best to be secure by default (limited set of safe html tags) and allow to opt-in to insecure features (broad set of tags and dangerous attributes) with a clear warning.

For example, an option in the app settings like so:

Options

鈼斤笍 鈿狅笍 Allow dangerous html tags in notes

When enabling, a modal pops up, where you have to confirm:

Dangerous tags

鈿狅笍 Enabling html also enables anyone with access to any of your devices or synced folders to prepare a note that takes over all your connected computers.

鈿笍 I understand the implications and want to enable dangerous tags anyway
馃敇 Nevermind, keep me safe!

Sounds reasonable. I agree with it.

Rokt33r picture Rokt33r on 9 Mar 2018

Cool thanks @Rokt33r for creating this issue!

My personal opinion is, to have a strict sanitisation as @Redsandro suggests containing some whitelisted html tags and urls (which are safe). We could then add a user configurable whitelist of allowed tags and the option to enable html in general with a clear warning.
So something like this:

Markdown Sanitisation

:radio_button: :heavy_check_mark: Only allow secure html tags (recommended)
:white_circle: :warning: Use my own configuration
:white_circle: :x: Allow dangerous html tags

_(the last two options could be combined)_

Additionally we can add new features to the markdown renderer (provide [youtube-]video support aso) so that the need for html tags is no longer there.

libeanim picture libeanim on 12 Mar 2018
👍3

@Rokt33r

So, I think we should hosting the app on electron via http

Hmm hosting via an http server seems to be a bit overkill (to my mind) and it would be best practice to sanitising the markdown/html anyways.

As long as I know, if the URL of BrowserWindow is starting from http://~~, global objects of Node.js, like require, and the local images are not available

Not sure if I got your suggestion, but as node is integrated into the electron javascript engine, it doesn't matter whether one loads an html file locally or via http in the BrowserWindow object. So e.g. require('fs') would work in both cases.

_In theory one could host the notes via http and reference them via iframes in the main app, but I would not prefer that to sanitisation._

To my mind the best way would be to use proper html sanitisation as @Redsandro did, make it configurable and add more features to the markdown implementation to reduce the need of html tags in general.

libeanim picture libeanim on 12 Mar 2018
👍1

Danger Zone

:radio_button: :heavy_check_mark: Only allow secure html tags __(recommended)__
:white_circle: :warning: Allow styles
:white_circle: :x: Allow dangerous html tags

:information_source: _Allowing dangerous html tags also enables anyone with access to any of your devices or synced folders to prepare a note that takes over all your connected computers._

Redsandro picture Redsandro on 15 Mar 2018
👍1

@Redsandro Sound reasonable. I'll take care of it.

Rokt33r picture Rokt33r on 15 Mar 2018
1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

N2ITN picture N2ITN  路  3Comments
aurelkurtula picture aurelkurtula  路  3Comments
Petroochio picture Petroochio  路  3Comments
louiealmeda picture louiealmeda  路  3Comments
ysshah picture ysshah  路  3Comments