Fix XSS attack vector

[i-n-g-m-a-r]

@see https://elixirforum.com/t/phoenix-debug-errors-vulnerable-to-xss/69936

[fuelen]

Could you check these places?

plug/lib/plug/templates/debugger.md.eex

Lines 34 to 38 in 12b1acf

	* Query string: <%= @conn.query_string %>
	### Headers
	<%= for {key, value} <- Enum.sort(@conn.req_headers) do %>
	* <%= key %>: <%= value %><% end %>

seems like query_string and headers may be vulnerable as well

[i-n-g-m-a-r]

@fuelen nice catch, tnx :)

[SteffenDE]

I think the correct approach here is to just escape the whole textarea content:

diff --git a/lib/plug/debugger.ex b/lib/plug/debugger.ex
index 1974db6..4f69d7b 100644
--- a/lib/plug/debugger.ex
+++ b/lib/plug/debugger.ex
@@ -234,7 +234,7 @@ defmodule Plug.Debugger do
         Keyword.merge(assigns,
           conn: conn,
           message: maybe_autolink(message),
-          markdown: markdown,
+          markdown: h(markdown),
           style: style,
           banner: banner,
           actions: actions,
diff --git a/lib/plug/templates/debugger.html.eex b/lib/plug/templates/debugger.html.eex
index fdc8f20..94242a1 100644
--- a/lib/plug/templates/debugger.html.eex
+++ b/lib/plug/templates/debugger.html.eex
@@ -1057,7 +1057,7 @@
         function copyToClipboard () {
           if(navigator.clipboard) {
             // For those working on localhost or HTTPS
-            navigator.clipboard.writeText($copy.innerHTML).then(copiedClipboard).catch(() => {})
+            navigator.clipboard.writeText($copy.textContent).then(copiedClipboard).catch(() => {})
           } else {
             // For those working on HTTP
             $copy.select()

The copy button should use textContent instead of innerHTML.

Not sure if escaping in the markdown template itself is necessary. I guess that depends on who is rendering the markdown, but that's typically not a browser.

[SteffenDE]

LGTM! @josevalim

[josevalim]

💚 💙 💜 💛 ❤️