Fix XSS via TXT, DNS demo domains

parent ead2ced5
......@@ -43,4 +43,11 @@ router.get("/docs/tor-relay-list/", (req: Request, res: Response, next: NextFunc
});
});
router.get("/docs/dns-demo/", (req: Request, res: Response, next: NextFunction) => {
res.render("docs/dns-demo.twig", {
"canonical_url": "/docs/dns-demo/",
"title": "DNS demo domains",
});
});
export const HomeController: Router = router;
......@@ -45,7 +45,7 @@
{% if data.ns %}
<h2>Nameserver records</h2>
<ul class="pl-3">
{% for record in data.ns %}
{% for record in data.ns|sort %}
<li><a href="/dns/{{ record }}">{{ record }}</a></li>
{% endfor %}
</ul>
......@@ -54,7 +54,7 @@
{% if data.cname %}
<h2>CNAME</h2>
<ul class="pl-3">
{% for record in data.cname %}
{% for record in data.cname|sort %}
<li><a href="/dns/{{ record }}">{{ record }}</a></li>
{% endfor %}
</ul>
......@@ -72,8 +72,8 @@
{% if data.txt %}
<h2>TXT records</h2>
<ul class="pl-0 list-unstyled">
{% for record in data.txt %}
<li><code>{{ txtParser(record) }}</code></li>
{% for record in data.txt|sort %}
<li><code>{{ txtParser(record|e) }}</code></li>
{% endfor %}
</ul>
{% endif %}
......@@ -81,7 +81,7 @@
{% if data.a %}
<h2>A records</h2>
<ul class="pl-3">
{% for record in data.a %}
{% for record in data.a|sort %}
<li class="ipRecord" data-ip="{{ record }}"><a href="/ip/{{ record }}">{{ record }}</a></li>
{% endfor %}
</ul>
......@@ -90,7 +90,7 @@
{% if data.aaaa %}
<h2>AAAA records</h2>
<ul class="pl-3">
{% for record in data.aaaa %}
{% for record in data.aaaa|sort %}
<li class="ipRecord" data-ip="{{ record }}"><a href="/ip/{{ record }}">{{ record }}</a></li>
{% endfor %}
</ul>
......
{% extends 'layouts/default.twig' %}
{% block body %}
<h1>{{ title }}</h1>
<h2>XSS &amp; HTML escape</h2>
<pre><code>$ dig +noall +answer -t TXT <a href="/dns/xss.lelux.fi" class="text-dark">xss.lelux.fi</a>
<a href="/dns/xss.lelux.fi" class="text-dark">xss.lelux.fi.</a> 86400 IN TXT "&lt;script&gt;alert('XSS!');&lt;/script&gt;"
<a href="/dns/xss.lelux.fi" class="text-dark">xss.lelux.fi.</a> 86400 IN TXT "&lt;script&gt;alert(\"XSS!\");&lt;/script&gt;"
$ dig +noall +answer -t TXT <a href="/dns/htmlescape.lelux.fi" class="text-dark">htmlescape.lelux.fi</a>
<a href="/dns/htmlescape.lelux.fi" class="text-dark">htmlescape.lelux.fi.</a> 86400 IN TXT "&lt;h1&gt;HTML!&lt;/h1&gt;"</code></pre>
<h2>TXT chunks</h2>
<pre><code>$ dig +noall +answer -t TXT <a href="/dns/chunk-demo.lelux.fi" class="text-dark">chunk-demo.lelux.fi</a>
<a href="/dns/chunk-demo.lelux.fi" class="text-dark">chunk-demo.lelux.fi.</a> 86400 IN TXT "chunk" " " "demo" " " "one"
<a href="/dns/chunk-demo.lelux.fi" class="text-dark">chunk-demo.lelux.fi.</a> 86400 IN TXT "chunk" " " "demo" " " "two"</code></pre>
<hr>
<p><a href="/docs/">Go back to documentation</a></p>
{% endblock %}
\ No newline at end of file
......@@ -66,6 +66,7 @@ location: https://peeringdb.com/api/net/291</code></pre>
href="https://peeringdb.com/api/net?asn=6939">https://peeringdb.com/api/net?asn=6939</a>,
but it returns less data for some reason.</p>
</li>
<li><a href="/docs/dns-demo/">DNS demo domains</a></li>
</ul>
{# <p>We couldn't understand why it couldn't be implemented <a href="https://peeringdb.com/apidocs/">natively in the PeeringDB API</a>...</p> #}
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment