Skip to content
This repository was archived by the owner on Dec 19, 2023. It is now read-only.

Bugfix Stored Cross-Site Scripting (XSS) #1

Open
mluis wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Bugfix Stored Cross-Site Scripting (XSS) #1

mluis wants to merge 2 commits into from

Conversation

@mluis
Copy link

@mluis mluis commented Apr 1, 2021

📊 Metadata *

Please enter the direct URL for this bounty on huntr.dev. This is compulsory and will help us process your bounty submission quicker.

Bounty URL: https://huntr.dev/bounties/1-npm-list.js

⚙️ Description *

Javascript doesn't provide an API to encode HTML so it is needed to implement that conversion from string to HTML entities.

💻 Technical Description *

It converts non-word characters to HTML entities.
For instance <img src=x onerror=alert(1)> would be converted to &#60;img src&#61;x onerror&#61;alert&#40;1&#41;&#62;,
which code is after interpreted correctly by the browser.

🐛 Proof of Concept (PoC) *

<html>
<head>
    <script src="//cdnjs.cloudflare.com/ajax/libs/list.js/2.3.1/list.min.js"></script>
</head>
<body>
    <div id="hacker-list">
    <ul class="list">
    <li>
        <h3 class="name">Jonny</h3>
        <p class="city">Stockholm</p>
    </li>
    </ul>
    </div>
</body>
</html>
<script>
    var options = {
  valueNames: ['name', 'city']
};

var hackerList = new List('hacker-list', options);

hackerList.add( { name: '<img src=x onerror=alert(1)>', city:'Berlin' } );
</script>

🔥 Proof of Fix (PoF) *

<html>
<head>
    <script src="list.min.js"></script>
</head>
<body>
    <div id="hacker-list">
    <ul class="list">
    <li>
        <h3 class="name">Jonny</h3>
        <p class="city">Stockholm</p>
    </li>
    </ul>
    </div>
</body>
</html>
<script>
    var options = {
  valueNames: ['name', 'city']
};

var hackerList = new List('hacker-list', options);

hackerList.add( { name: '<img src=x onerror=alert(1)>', city:'Berlin' } );
</script>

👍 User Acceptance Testing (UAT)

Run a unit test or a legitimate use case to prove that your fix does not introduce breaking changes.

@huntr-helper
Copy link

huntr-helper commented Apr 1, 2021

👋 Hello, @javve. @mluis has opened a PR to us with a fix for a potential vulnerability in your repository. To view the vulnerability, please refer to the bounty URL in the first comment, above. If you want this fix in your repository, a PR will automatically open once you comment:

@huntr-helper - LGTM

☎️ Need further support?

Come and join us on our community Discord!

@javve - want more fixes like this?

Copy this snippet into your README.md for more vulnerability fixes in the future:

[![huntr](https://cdn.huntr.dev/huntr_security_badge_mono.svg)](https://huntr.dev)

huntr

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mluis @huntr-helper