rustdoc search xss exploit

[misterhat]

The input for doc searches isn't sanitized, allowing for arbitrary HTML input.

http://static.rust-lang.org/doc/master/std/index.html?search=%3Cxmp%3E

[adrientetar]

Is this problematic? Afaik everything is done client-side.

[tomjakubowski]

Yes. For example, if rustdoc documentation is served on a site that uses a cookie for authentication, an attacker could perform XHRs on the victim's behalf by injecting a <script> tag. It's not particularly problematic on the static.rust-lang.org site, though.

[adrientetar]

But the search is done with client-side javascript on a client-side resources index; how can you secure that?

[tomjakubowski]

I'm not sure what you mean by the search being unsecurable because the index is searched on the client. The problem is that the Javascript responsible for rendering the search query does not properly escape it, so an attacker can insert arbitrary HTML and therefore execute arbitrary Javascript in another user's browser merely by tricking the user into following a link. This is easily fixed by escaping query.query and query.type here: https://github.com/mozilla/rust/blob/master/src/librustdoc/html/static/main.js#L393-L394

If you're not convinced of the danger, see this link (warning: displays an alert dialog) for an example. If I were more nefarious, and I knew of a site that served rustdoc HTML documentation on the same domain as another site that uses cookie authentication, I could impersonate a user of this site just by convincing them to follow a link I've sent them.

[adrientetar]

I see thanks for the explanations, opened up a PR for it.

[steveklabnik]

I knew of a site that served rustdoc HTML documentation on the same domain

I think this is the part that makes me go from "meh" to "OH!." There's not a lot of damage on rust-lang.org, but we shouldn't open up others to these issues.