Tell HN: Immersive-translate plugin may expose you to XSS attacks
This post might not directly concern English-speaking users, but I know there are many users (at least many Chinese speaking users) browse Hacker News with immersive-translate plugin[1]. The plugin has https://news.ycombinator.com included in its default list of sites to translate.
I recently identified a potential XSS injection target. When users navigate to a specific piece of content using the plugin, malicious code could be executed by their browser. This allows the possibility of cookies being stolen or other malicious activities. I have reported in their issue tracker[2].
Example:
<button onmouseover=alert(123)><img src="/404" onerror=alert(789)>im a button<script>alert(456)</script></button>
If you translate the above content using immersive-translate, you’ll see a popup. Moving your mouse over the translated content could trigger another popup.Suggestions:
- For Immersive-Translate users: Until this issue is fixed, I recommend disabling the default translation of Hacker News content and only translating content that has been manually reviewed.
- For Hacker News admins: To mitigate this risk, you might consider adding a `Content-Security-Policy` header in the server responses or including a `<meta http-equiv="Content-Security-Policy" content="xxx">` tag in the HTML `<head>` section.
[1]: https://immersivetranslate.com/[2]: https://github.com/immersive-translate/immersive-translate/issues/2022
5 comments
[ 4.3 ms ] story [ 18.4 ms ] threadThey said in previous posts that they are using `DOMPurify` to sanitize the code, but it turns out that it did not work well.
It's an old project though and I've always refrained from using it in favor of sanitizing user input in other ways (or letting library code do it for me).
It might be that they used this library wrong. It might also be that it's more of a research project.
There's a reason I guess that none of the popular UI frameworks/libraries have DOMPurify as a dep.
It boils down to a separation similar to prepared statements.
Disallowing direct string interpolation into DOM subtrees is the way to go, esp when user-controlled data is involved. You can't achieve XSS by assigning .textContent on a DOM node, for example.
That's why the DOM API is a thing and innerHTML is equivalent to eval regarding security.
The browser add-on is unfortunately not open source and I don't want to spend a lot of time to investigate it. According an earlier issue (#1437), they should have fixed it already. I guess the later envolvements changed that.
I agree with you that what DOMPurify does should be cared of by the Browser.