Safeguard against XSS injection attacks

[sidiousvic]

The phantom engine uses the innerHTML property to render elements in certain conditions. This makes it a possibility that third party strings/code could be injected into a phantom app via an (an XSS attack).

An XSS attack in broad terms is when it is possible to inject scripts via app user inputs that will be parsed through with innerHTML and thus executed by the website. A simple example is firing an alert.

We could safeguard against this by impementing a function that sanitizes HTML before injection, as suggested by Chris Ferdinandi.

@author Chris Ferdinandi

var sanitizeHTML = function (str) {
  var temp = document.createElement('div');
  temp.textContent = str;
  return temp.innerHTML;
};

The example above is specific, but could be adapted to sanitize HTML properly.

Another option is using a library such as DOMPurify.

I think this is a prime responsibility for phantom, since the dangerous use of innerHTML is hidden to the user and other frontend frameworks have similar protections in place. This might require a partial rewrite/rethink of the engine.

[sidiousvic]

Implementing something like this might be the solution.

A simple yet robust approach to sanitizing user supplied HTML and CSS