Reduce risk of XSS (#1051)

* Skip non-own properties of env.attributes

Use `Object.keys` instead of a for-in loop to find optional attributes.
The former only grabs keys that are own properties, the latter also
includes inherit properties from `Object.prototype`.
This reduces the risk of XSS if an attacker somehow manages to
manipulate the prototype chain of the Object prototype.

* Fix root cause of XSS in autolinker plugin #1054

* command-line plugin: Safely encode attributes

If an attacker has control over the values of the attributes
"data-prompt", "data-user", or "data-host", then XSS was possible.
This fixes the issue, by encoding quotes as the `"` entity.

* show-language plugin: innerHTML -> textContent

There is no need for `innerHTML` here. At best nothing happens,
at worst XSS is possible (though the odds are negligible since
the attacker would have to control the detected language).

* toolbar plugin: innerHTML -> textContent

Author: Rob--W

components/prism-core.js

@@ -445,11 +445,9 @@ Token.stringify = function(o, language, parent) {
 
 	_.hooks.run('wrap', env);
 
-	var attributes = '';
-
-	for (var name in env.attributes) {
-		attributes += (attributes ? ' ' : '') + name + '="' + (env.attributes[name] || '') + '"';
-	}
+	var attributes = Object.keys(env.attributes).map(function(name) {
+		return name + '="' + (env.attributes[name] || '').replace(/"/g, '"') + '"';
+	}).join(' ');
 
 	return '<' + env.tag + ' class="' + env.classes.join(' ') + '"' + (attributes ? ' ' + attributes : '') + '>' + env.content + '</' + env.tag + '>';
 

components/prism-core.min.js

@@ -34,14 +34,18 @@ Prism.hooks.add('complete', function (env) {
 		pre.className += ' command-line';
 	}
 
+	var getAttribute = function(key, defaultValue) {
+		return (pre.getAttribute(key) || defaultValue).replace(/"/g, '&quot');
+	};
+
 	// Create the "rows" that will become the command-line prompts. -- cwells
 	var lines = new Array(1 + env.code.split('\n').length);
-	var promptText = pre.getAttribute('data-prompt') || '';
+	var promptText = getAttribute('data-prompt', '');
 	if (promptText !== '') {
 		lines = lines.join('<span data-prompt="' + promptText + '"></span>');
 	} else {
-		var user = pre.getAttribute('data-user') || 'user';
-		var host = pre.getAttribute('data-host') || 'localhost';
+		var user = getAttribute('data-user', 'user');
+		var host = getAttribute('data-host', 'localhost');
 		lines = lines.join('<span data-user="' + user + '" data-host="' + host + '"></span>');
 	}
 

plugins/command-line/prism-command-line.js

@@ -20,7 +20,7 @@ Prism.plugins.toolbar.registerButton('show-language', function(env) {
 	var language = pre.getAttribute('data-language') || Languages[env.language] || (env.language.substring(0, 1).toUpperCase() + env.language.substring(1));
 
 	var element = document.createElement('span');
-	element.innerHTML = language;
+	element.textContent = language;
 
 	return element;
 });

plugins/command-line/prism-command-line.min.js

@@ -120,7 +120,7 @@
 				element = document.createElement('span');
 			}
 
-			element.innerHTML = text;
+			element.textContent = text;
 		}
 
 		return element;