From 12b1acfea651cd17caca4fa0b00c0c7538e74766 Mon Sep 17 00:00:00 2001 From: Ingmar de Lange Date: Fri, 14 Mar 2025 08:55:59 +0100 Subject: [PATCH 1/5] Fix XSS attack vector --- lib/plug/templates/debugger.md.eex | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/plug/templates/debugger.md.eex b/lib/plug/templates/debugger.md.eex index 6b4921c6..dd81fbe2 100644 --- a/lib/plug/templates/debugger.md.eex +++ b/lib/plug/templates/debugger.md.eex @@ -26,7 +26,7 @@ Code: ### Params - <%= inspect(@params) %> + <%= Plug.HTML.html_escape inspect(@params) %> ### Request info From c33fbd4d49bdff18c5b56366762f33ab24d58f73 Mon Sep 17 00:00:00 2001 From: Ingmar de Lange Date: Fri, 14 Mar 2025 10:22:48 +0100 Subject: [PATCH 2/5] Fix query_string and headers as well --- lib/plug/templates/debugger.md.eex | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/plug/templates/debugger.md.eex b/lib/plug/templates/debugger.md.eex index dd81fbe2..f783c1f6 100644 --- a/lib/plug/templates/debugger.md.eex +++ b/lib/plug/templates/debugger.md.eex @@ -31,11 +31,11 @@ Code: ### Request info * URI: <%= url(@conn) %> - * Query string: <%= @conn.query_string %> + * Query string: <%= Plug.HTML.html_escape @conn.query_string %> ### Headers <%= for {key, value} <- Enum.sort(@conn.req_headers) do %> - * <%= key %>: <%= value %><% end %> + * <%= Plug.HTML.html_escape "#{key}: #{value}" %><% end %> ### Session From d715f21114a19e3fdeaae281158861cd67174417 Mon Sep 17 00:00:00 2001 From: Ingmar de Lange Date: Fri, 14 Mar 2025 15:16:34 +0100 Subject: [PATCH 3/5] Escape whole textarea content --- lib/plug/debugger.ex | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/plug/debugger.ex b/lib/plug/debugger.ex index 1974db6b..4f69d7bf 100644 --- a/lib/plug/debugger.ex +++ b/lib/plug/debugger.ex @@ -234,7 +234,7 @@ defmodule Plug.Debugger do Keyword.merge(assigns, conn: conn, message: maybe_autolink(message), - markdown: markdown, + markdown: h(markdown), style: style, banner: banner, actions: actions, From 7cde2703dc7370a9cb75d7ad75f149ccc4c4521d Mon Sep 17 00:00:00 2001 From: Ingmar de Lange Date: Fri, 14 Mar 2025 15:17:33 +0100 Subject: [PATCH 4/5] The copy button uses textContent instead of innerHTML --- lib/plug/templates/debugger.html.eex | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/plug/templates/debugger.html.eex b/lib/plug/templates/debugger.html.eex index fdc8f20a..94242a19 100644 --- a/lib/plug/templates/debugger.html.eex +++ b/lib/plug/templates/debugger.html.eex @@ -1057,7 +1057,7 @@ function copyToClipboard () { if(navigator.clipboard) { // For those working on localhost or HTTPS - navigator.clipboard.writeText($copy.innerHTML).then(copiedClipboard).catch(() => {}) + navigator.clipboard.writeText($copy.textContent).then(copiedClipboard).catch(() => {}) } else { // For those working on HTTP $copy.select() From 53db5fc38b7079404ec82083d4b6e1ecb2268012 Mon Sep 17 00:00:00 2001 From: Ingmar de Lange Date: Fri, 14 Mar 2025 15:18:26 +0100 Subject: [PATCH 5/5] Escaping in the markdown template itself is not necessary --- lib/plug/templates/debugger.md.eex | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/lib/plug/templates/debugger.md.eex b/lib/plug/templates/debugger.md.eex index f783c1f6..6b4921c6 100644 --- a/lib/plug/templates/debugger.md.eex +++ b/lib/plug/templates/debugger.md.eex @@ -26,16 +26,16 @@ Code: ### Params - <%= Plug.HTML.html_escape inspect(@params) %> + <%= inspect(@params) %> ### Request info * URI: <%= url(@conn) %> - * Query string: <%= Plug.HTML.html_escape @conn.query_string %> + * Query string: <%= @conn.query_string %> ### Headers <%= for {key, value} <- Enum.sort(@conn.req_headers) do %> - * <%= Plug.HTML.html_escape "#{key}: #{value}" %><% end %> + * <%= key %>: <%= value %><% end %> ### Session