The Elm runtime crashes when </script> is used. Other XSS examples are correctly encoded.
Minimal example:
import Html exposing (text)
main = text "</script>"
Result:
_Platform_export({'Main':{'init':_VirtualDom_init($author$project$Main$main)(0)(0)}});}(this));
var app = Elm.Main.init({ node: document.getElementById("elm") });
}
catch (e)
{
// display initialization errors (e.g. bad flags, infinite recursion)
var header = document.createElement("h1");
header.style.fontFamily = "monospace";
header.innerText = "Initialization Error";
var pre = document.getElementById("elm");
document.body.insertBefore(header, pre);
pre.innerText = e;
throw e;
}Working example:
import Html exposing (text)
main = text "<a href=\"javascript://%0Aalert('XSS');\">XSS</a>"Result (correctly encoded):
<a href="javascript://%0Aalert('XSS');">XSS</a>This happens in the Elm Playground, with elm reactor or builds created by elm make.
User input is also correctly encoded. This happens only for </script> when it’s used at compile-time.
The Elm runtime crashes when
</script>is used. Other XSS examples are correctly encoded.Minimal example:
Result:
Working example:
Result (correctly encoded):
This happens in the Elm Playground, with
elm reactoror builds created byelm make.User input is also correctly encoded. This happens only for
</script>when it’s used at compile-time.