Ember.js 1.9.1 released


Today, the Ember team is happy to announce the release of Ember.js 1.9.1. Ember 1.9.1 fixes a regression and introduces more conservative attribute escaping to help developers prevent unintentional cross-site scripting (XSS) vulnerabilities.

{{view}} Assistants and examples

The 1.9.0 version introduced regression, where Handlebars
{{view}} Assistant will only work with Ember.View Subclasses, not instances. In 1.9.1, passing the view instance to the assistant has been fully restored.

We intend to deprecate this feature instead of removing it completely. If your app relies on this behavior, first of all, please accept our apology for the unexpected return. Second, please consider refactoring your code to use components instead of views, because support for this API will be removed in Ember 2.0.

XSS improvements for binding properties

When you inadvertently put unescaped user-supplied content into the DOM, an XSS vulnerability occurs, creating a vector for the attacker to trick the browser into evaluating JavaScript that has the same data access permissions as your legitimate JavaScript.

Since its inception, Ember.js automatically defends against these attacks by HTML escaping any bound data that enters the DOM. For example, given this model data:

{
  "firstName": "<script type=javascript>alert('pwned!');</script>"
}

The following templates will not be attacked by XSS:

Hello, {{firstName}}!

That’s because Ember automatically < 和 > Replace characters with &lt; with &gt;.

However, there is another potential utilization vector: binding properties.

Suppose you display personal information for users and allow them to provide any homepage that your app links to:

{{!-- app/templates/user.hbs --}}
First Name: {{firstName}}
Homepage: <a {{bind-attr href=homepageUrl}}>{{homepageUrl}}</a>

Although this template may seem harmless at first glance, imagine that a malicious user provides the following data:

{
  "firstName": "Guardians of Peace",
  "homepageUrl": "javascript:alert('Kim Jong Un is not to be
disrespected!')"
}

If an attacker can induce other users to click on a profile link, you will inadvertently allow their JavaScript to be evaluated in the same source as your trusted code.

Starting from Ember 1.9.1, we will automatically escape any borders href, src
or background Contains an attribute javascript: or vbscript:
The protocol handler adds a prefix to its value unsafe:.

We also released a new beta version of Ember 1.10, which contains more targeted fixes. Since the HTMLbars parser provides us with additional functions, these attributes will only be escaped on the elements that trigger the top-level navigation, so they may be exploited: a,
body, link, iframe, with img.

We would like to thank Mano and Manoharan from Zoho for responsibly disclosing this potential XSS vector and working with us to find solutions to help developers write secure applications.

Change log

Leave a Reply

Your email address will not be published. Required fields are marked *