fix: sanitize <script> in __FRSH_STATE state (#739)

This commit escapes `<` `>` and related characters in the serialized state that is encoded into the `<script id=__FRSH_STATE>` tag. This prevents XSS attack occuring through injection of a `</script>` string in island props.

Author: wilf312

src/server/htmlescape.ts

@@ -0,0 +1,15 @@
+// This utility is based on https://github.com/zertosh/htmlescape
+// License: https://github.com/zertosh/htmlescape/blob/0527ca7156a524d256101bb310a9f970f63078ad/LICENSE
+
+const ESCAPE_LOOKUP: { [match: string]: string } = {
+  ">": "\\u003e",
+  "<": "\\u003c",
+  "\u2028": "\\u2028",
+  "\u2029": "\\u2029",
+};
+
+const ESCAPE_REGEX = /[><\u2028\u2029]/g;
+
+export function htmlEscapeJsonString(str: string): string {
+  return str.replace(ESCAPE_REGEX, (match) => ESCAPE_LOOKUP[match]);
+}

src/server/htmlescape_test.ts

@@ -0,0 +1,18 @@
+import { htmlEscapeJsonString } from "./htmlescape.ts";
+import { assertEquals } from "../../tests/deps.ts";
+
+Deno.test("with angle brackets should escape", () => {
+  const evilObj = { evil: "<script></script>" };
+  assertEquals(
+    htmlEscapeJsonString(JSON.stringify(evilObj)),
+    '{"evil":"\\u003cscript\\u003e\\u003c/script\\u003e"}',
+  );
+});
+
+Deno.test("with angle brackets should parse back", () => {
+  const evilObj = { evil: "<script></script>" };
+  assertEquals(
+    JSON.parse(htmlEscapeJsonString(JSON.stringify(evilObj))),
+    evilObj,
+  );
+});

src/server/render.ts

@@ -17,6 +17,7 @@ import { CSP_CONTEXT, nonce, NONE, UNSAFE_INLINE } from "../runtime/csp.ts";
 import { ContentSecurityPolicy } from "../runtime/csp.ts";
 import { bundleAssetUrl } from "./constants.ts";
 import { assetHashingHook } from "../runtime/utils.ts";
+import { htmlEscapeJsonString } from "./htmlescape.ts";
 
 export interface RenderOptions<Data> {
   route: Route<Data> | UnknownPage | ErrorPage;
@@ -276,7 +277,7 @@ export async function render<Data>(
   if (state[0].length > 0 || state[1].length > 0) {
     // Append state to the body
     bodyHtml += `<script id="__FRSH_STATE" type="application/json">${
-      JSON.stringify(state)
+      htmlEscapeJsonString(JSON.stringify(state))
     }</script>`;
 
     // Append the inline script to the body

tests/fixture/fresh.gen.ts

@@ -12,24 +12,25 @@ import * as $5 from "./routes/api/get_only.ts";
 import * as $6 from "./routes/assetsCaching/index.tsx";
 import * as $7 from "./routes/books/[id].tsx";
 import * as $8 from "./routes/connInfo.ts";
-import * as $9 from "./routes/failure.ts";
-import * as $10 from "./routes/index.tsx";
-import * as $11 from "./routes/intercept.tsx";
-import * as $12 from "./routes/intercept_args.tsx";
-import * as $13 from "./routes/islands/index.tsx";
-import * as $14 from "./routes/layeredMdw/_middleware.ts";
-import * as $15 from "./routes/layeredMdw/layer2-no-mw/without_mw.ts";
-import * as $16 from "./routes/layeredMdw/layer2/_middleware.ts";
-import * as $17 from "./routes/layeredMdw/layer2/abc.ts";
-import * as $18 from "./routes/layeredMdw/layer2/index.ts";
-import * as $19 from "./routes/layeredMdw/layer2/layer3/[id].ts";
-import * as $20 from "./routes/layeredMdw/layer2/layer3/_middleware.ts";
-import * as $21 from "./routes/middleware_root.ts";
-import * as $22 from "./routes/not_found.ts";
-import * as $23 from "./routes/params.tsx";
-import * as $24 from "./routes/props/[id].tsx";
-import * as $25 from "./routes/static.tsx";
-import * as $26 from "./routes/wildcard.tsx";
+import * as $9 from "./routes/evil.tsx";
+import * as $10 from "./routes/failure.ts";
+import * as $11 from "./routes/index.tsx";
+import * as $12 from "./routes/intercept.tsx";
+import * as $13 from "./routes/intercept_args.tsx";
+import * as $14 from "./routes/islands/index.tsx";
+import * as $15 from "./routes/layeredMdw/_middleware.ts";
+import * as $16 from "./routes/layeredMdw/layer2-no-mw/without_mw.ts";
+import * as $17 from "./routes/layeredMdw/layer2/_middleware.ts";
+import * as $18 from "./routes/layeredMdw/layer2/abc.ts";
+import * as $19 from "./routes/layeredMdw/layer2/index.ts";
+import * as $20 from "./routes/layeredMdw/layer2/layer3/[id].ts";
+import * as $21 from "./routes/layeredMdw/layer2/layer3/_middleware.ts";
+import * as $22 from "./routes/middleware_root.ts";
+import * as $23 from "./routes/not_found.ts";
+import * as $24 from "./routes/params.tsx";
+import * as $25 from "./routes/props/[id].tsx";
+import * as $26 from "./routes/static.tsx";
+import * as $27 from "./routes/wildcard.tsx";
 import * as $$0 from "./islands/Counter.tsx";
 import * as $$1 from "./islands/Test.tsx";
 import * as $$2 from "./islands/kebab-case-counter-test.tsx";
@@ -45,24 +46,25 @@ const manifest = {
     "./routes/assetsCaching/index.tsx": $6,
     "./routes/books/[id].tsx": $7,
     "./routes/connInfo.ts": $8,
-    "./routes/failure.ts": $9,
-    "./routes/index.tsx": $10,
-    "./routes/intercept.tsx": $11,
-    "./routes/intercept_args.tsx": $12,
-    "./routes/islands/index.tsx": $13,
-    "./routes/layeredMdw/_middleware.ts": $14,
-    "./routes/layeredMdw/layer2-no-mw/without_mw.ts": $15,
-    "./routes/layeredMdw/layer2/_middleware.ts": $16,
-    "./routes/layeredMdw/layer2/abc.ts": $17,
-    "./routes/layeredMdw/layer2/index.ts": $18,
-    "./routes/layeredMdw/layer2/layer3/[id].ts": $19,
-    "./routes/layeredMdw/layer2/layer3/_middleware.ts": $20,
-    "./routes/middleware_root.ts": $21,
-    "./routes/not_found.ts": $22,
-    "./routes/params.tsx": $23,
-    "./routes/props/[id].tsx": $24,
-    "./routes/static.tsx": $25,
-    "./routes/wildcard.tsx": $26,
+    "./routes/evil.tsx": $9,
+    "./routes/failure.ts": $10,
+    "./routes/index.tsx": $11,
+    "./routes/intercept.tsx": $12,
+    "./routes/intercept_args.tsx": $13,
+    "./routes/islands/index.tsx": $14,
+    "./routes/layeredMdw/_middleware.ts": $15,
+    "./routes/layeredMdw/layer2-no-mw/without_mw.ts": $16,
+    "./routes/layeredMdw/layer2/_middleware.ts": $17,
+    "./routes/layeredMdw/layer2/abc.ts": $18,
+    "./routes/layeredMdw/layer2/index.ts": $19,
+    "./routes/layeredMdw/layer2/layer3/[id].ts": $20,
+    "./routes/layeredMdw/layer2/layer3/_middleware.ts": $21,
+    "./routes/middleware_root.ts": $22,
+    "./routes/not_found.ts": $23,
+    "./routes/params.tsx": $24,
+    "./routes/props/[id].tsx": $25,
+    "./routes/static.tsx": $26,
+    "./routes/wildcard.tsx": $27,
   },
   islands: {
     "./islands/Counter.tsx": $$0,

tests/fixture/routes/evil.tsx

@@ -0,0 +1,9 @@
+import Test from "../islands/Test.tsx";
+
+export default function EvilPage() {
+  return (
+    <div>
+      <Test message={`</script><script>alert('test')</script>`} />
+    </div>
+  );
+}

tests/fixture/routes/islands/index.tsx

@@ -9,6 +9,7 @@ export default function Home() {
       <Counter id="counter2" start={10} />
       <KebabCaseFileNameTest id="kebab-case-file-counter" start={5} />
       <Test message="" />
+      <Test message={`</script><script>alert('test')</script>`} />
     </div>
   );
 }

tests/islands_test.ts

@@ -82,3 +82,62 @@ Deno.test({
   sanitizeOps: false,
   sanitizeResources: false,
 });
+
+Deno.test({
+  name: "island tests with </script>",
+  async fn(t) {
+    // Preparation
+    const serverProcess = Deno.run({
+      cmd: ["deno", "run", "-A", "./tests/fixture/main.ts"],
+      stdout: "piped",
+      stderr: "inherit",
+    });
+
+    const decoder = new TextDecoderStream();
+    const lines = serverProcess.stdout.readable
+      .pipeThrough(decoder)
+      .pipeThrough(new TextLineStream());
+
+    let started = false;
+    for await (const line of lines) {
+      if (line.includes("Listening on http://")) {
+        started = true;
+        break;
+      }
+    }
+    if (!started) {
+      throw new Error("Server didn't start up");
+    }
+
+    await delay(100);
+
+    const browser = await puppeteer.launch({ args: ["--no-sandbox"] });
+    const page = await browser.newPage();
+    page.on("dialog", () => {
+      assert(false, "There is XSS");
+    });
+
+    await page.goto("http://localhost:8000/evil", {
+      waitUntil: "networkidle2",
+    });
+
+    await t.step("prevent XSS on Island", async () => {
+      const bodyElem = await page.waitForSelector(`body`);
+      const value = await bodyElem?.evaluate((el) => el.getInnerHTML());
+
+      assertStringIncludes(
+        value,
+        `{"message":"\\u003c/script\\u003e\\u003cscript\\u003ealert('test')\\u003c/script\\u003e"}`,
+        `XSS is not escaped`,
+      );
+    });
+
+    await browser.close();
+
+    await lines.cancel();
+    serverProcess.kill("SIGTERM");
+    serverProcess.close();
+  },
+  sanitizeOps: false,
+  sanitizeResources: false,
+});