Security Policy

[Otto-AA]

What is the security policy for this repository? I could not find any info in the README and the Security github section.

In particular, where should I report security vulnerabilities?

[timea-solid]

@Otto-AA sorry for coming back to you so late.
Feel free to report any issues in this ticket.

[Otto-AA]

I don't remember where exactly it was in the code, if you need it I can try to dig it up.

Essentially, the markdown renderer is vulnerable to XSS. When viewing a markdown file, arbitrary scripts from this file can be executed. As an example, go to https://sheep.solidcommunity.net/public/ and click on the xss.md file, which will call print() as a XSS demonstration.

As a solution, it is likely enough to go to the documentation of the markdown renderer and follow the security best practices there (again, I forgot which one it is, but they must have a section about filtering scripts for XSS).

[timea-solid]

@Otto-AA thanks! This already pins it down pretty good. :)

[Otto-AA]

Also as a general note: restrain from using .innerHtml = ... if not necessary. I've seen it in a number of places, where only text is assigned, not HTML (not sure which one is good, but e.g. .innerText or innerContent should work iirc). This makes it less likely to have XSS

[timea-solid]

@Otto-AA I think it is clear from your findings we do not have much know-how about security concerns in the code 😓 We could really use some help, even with this simple .innerHtml removal tasks. Would you be interested to join us, take a look? We can also organise a security knowledge transfer so we know what to avoid and fix.
The SolidOs team meets every week on Wednesday 6pm CET more details and you can always come say hi at our gitter chat. We'd like to learn more on security topics and to get to know you.

[bourgeoa]

SoliOS is using https://github.com/markedjs/marked. They recommend to sanitize using https://github.com/cure53/DOMPurify

[timbl]

We should split off the script injection problem from this general "What is your Security Policy" issue.