0

I can't use anymore relative link in jquery-terminal because all links must have either a ftp or http(s) protocol.

I don't quite understand the warning https://terminal.jcubic.pl/api_reference.php#security

What could happen if I use anyLinks: true option to continue to use relative link ?

Improve this question
4
  • I can fix issue with relative links, I've just whitelisted ftp and http didn't though about urls without domain.
    – jcubic
    Commented Oct 14, 2018 at 13:31
  • I've updated the code on devel branch and it now accept urls that starts with: ./ ../ and / but if you want to link to file in same directory you need to put ./ in front.
    – jcubic
    Commented Oct 14, 2018 at 15:08
  • ok. I'll wait for the next stable anyway, because, from what you said below, I don't echo back data typed by user. just an url I make with my own data.
    – solsTiCe
    Commented Oct 16, 2018 at 15:23
  • I've just released version 2.0 because I've needed to add one breaking change.
    – jcubic
    Commented Oct 20, 2018 at 14:24

1 Answer 1

Reset to default
0

If you don't echo back stuff from user and don't send that to other users like with chat application or when you don't echo from users and exec commands (using execHash option) there are no security implications.

If you does echo stuff from user, then the user can put [[!;;;;javascript:alert("xss")]xss], if you also allow formatting from user. So you will be safe if you use this:

$('body').terminal(function(text) {
   this.echo($.terminal.escape_brackets(text));
});

and you'll also be safe.

And if you need to echo stuff from users and allow formatting then you need to validate user input like in normal XSS prevention but strings will be different.

Improve this answer

Not the answer you're looking for? Browse other questions tagged or ask your own question.