HUGO

Hugo + CMS and 'unsafe = true'

Hi there,

we are reviewing Hugo Themes, in particular Netlify-CMS compatible themes.

We would like with this CMS to open the publication:

  • to users with no technical skills ( i.e pasting random content in the CMS)
  • to users we don’t trust ( i.e potentially trying to exploit the platform)

No moderation will take place, the content goes straight from the CMS to some live & public HTML.

Question #1: Do you have general advice about this usecase?
(let’s first consider that unsafe is set to false)

The case of unsafe = true

Some appealing themes are shipping Netlify-CMS / Forestry and use the following setting in config.toml:

[markup.goldmark.renderer]
  unsafe = true  

The documentation is short on this topic (see also #6581).

Question #2: How to scope the risks induced by this setup? Is the content absolutely unfiltered in such a situation?

Question #3: Do you think of a way to properly filter the content submitted via a CMS?

Thanks!

1 Like

Yes. Don’t do it.

Yes. A user could include this with their markdown:

<script>
  alert("Ha ha ha");
</script>

<link rel="preconnect" href="https://fonts.googleapis.com">
<link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
<link href="https://fonts.googleapis.com/css2?family=Libre+Barcode+39&display=swap" rel="stylesheet">

<style>
  body {
    font-family: 'Libre Barcode 39', cursive;
    font-size: 400%;
    color: red;
  }
</style>

After pressing OK in the “Ha ha ha” alert popup, any text on the page will be rendered as a giant red barcode.

Or they could just burn CPU cycles and freeze the browser tab with:

<script>
  var i = 0;
  while (1) {
    console.log(i)
    i++
  }
</script>

Moderate the content (or limit to trusted users) and use the default security model (unsafe = false).

1 Like

It couldn’t be any clearer, thank you @jmooring !

The solution is to implement selected usage with shortcodes I guess.

Also note, even you set unsafe=false,

since Markdown Attributes feature released, event handler can be attached to code fence via on<event> in markdown attributes, and there is no config to disable this.

# do not directly copy below code, it contains zero-width space before the triple backticks (to avoid discourse render it)

​```html {onclick="alert('xss')" onmouseenter="alert('xss-onmouseenter')"}
<h1>Hello World</h1>
​```

@jmooring @iaeiou

2 Likes

Also note, even you set unsafe=false ,

since Markdown Attributes feature released, event handler can be attached to code fence via on<event> in markdown attributes, and there is no config to disable this.

Confirmed, tested with unsafe = false and an alert is displayed.

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.