Uploaded image for project: 'ZK'
  1. ZK
  2. ZK-5161

page directive's attributes are not encoded before rendering into HTML

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Normal Normal
    • 10.0.0
    • 9.6.1
    • None
    • Security Level: Jimmy
    • None
    • None

      Steps to Reproduce

      1. add <?page title="</title><script>alert('XSS')</script>"?> into a blank zul
      or add <?page viewport="\"><script>alert('XSS')</script>"?> and visit with a mobile browser

      Alternative steps

      1. <?page title="${param.title}"?>
      2. visit http://localhost:8080/zk9support/ticket/zk-5161.zul?title=</title><script>alert('XSS')</script>

      Current Result

      the browser executes alert()

      Expected Result

      the browser doesn't execute the script

      Debug Information

      1. other directives encode the attribute values when outputting to HTML like:

      <?meta name="'><script>" content="\"><script>alert('XSS')</script>"?>
      <?root-attributes anyname="\"><script>alert('XSS')</script>"?>
      

      So there is a inconsistency of encoding values among all directives.
      2. this unencoded content could cause an XSS issue.

      Workaround

      escapes HTML characters manually.

            jumperchen jumperchen
            hawk hawk
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: