Merge pull request #656 from cloudscribe/feature/482_2

JimKerslake · web-flow · commit 2ab5721762ed · 2025-08-20T09:59:18.000+01:00
#482 add missing checks to js sanitiser
diff --git a/src/cloudscribe.SimpleContent.Web/Services/Page/JsSecuritySanitizer.cs b/src/cloudscribe.SimpleContent.Web/Services/Page/JsSecuritySanitizer.cs
@@ -64,8 +64,8 @@ public class JsSecuritySanitizer
             "location.href",          // Commonly set to redirect
             "document.location",      // Same
             "window.name",            // Used to pass data between domains
-            "localStorage",           // Persistent local storage
-            "sessionStorage",         // Session-scoped storage
+            "localStorage",           // Persistent local storage (including .setItem, .getItem, etc.)
+            "sessionStorage",         // Session-scoped storage (including .setItem, .getItem, etc.)
             "indexedDB",              // DB access
             "navigator.geolocation",  // Gets user location
             "navigator.clipboard",    // Read/write clipboard
@@ -108,6 +108,27 @@ private void TraverseNode(Node node, List<string> issues)
                 {
                     issues.Add($"Call to disallowed function: {ident.Name}");
                 }
+                
+                // Check for method calls on dangerous objects (e.g., localStorage.setItem)
+                if (callExpr.Callee is MemberExpression memberCall &&
+                    memberCall.Object is Identifier objIdent)
+                {
+                    // Check if it's a dangerous object being called
+                    if (DangerousProperties.Contains(objIdent.Name))
+                    {
+                        issues.Add($"Method call on disallowed object: {objIdent.Name}");
+                    }
+                }
+            }
+
+            // Check for dangerous constructor calls (new XMLHttpRequest(), new Function(), etc.)
+            if (node is NewExpression newExpr)
+            {
+                if (newExpr.Callee is Identifier ident &&
+                    DangerousCalls.Contains(ident.Name))
+                {
+                    issues.Add($"Use of disallowed constructor: new {ident.Name}()");
+                }
             }
 
             // Check for dangerous property access like window.location or document.cookie
