Uploaded image for project: 'ZK'
  1. ZK
  2. ZK-5722

DomPurify doesn't neutralize double quotes in attribute string, can be used for XSS attacks

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Normal Normal
    • 10.0.1
    • 10.0.0
    • None
    • Security Level: Jimmy
    • None

      Steps to Reproduce

      Run attached sample (zk 10.0.0)
      Copy reproducing string (red string) into "product description"
      Click "use user data for link attribute content" and "use user data for window attribute content"
      Click on link, click on "click here for XSS" window header

      Current Result

      click on link and click on window trigger alert from injected JS onClick attribute

      Expected Result

      Attribute content shouldn't be able to break out attribute and create additional attributes

      Debug Information

      Appear to be caused by DomPurify.sanitize not identifying doubleQuote attribute break, if the tested string is not a fully formed tag (starting with < and ending with >)

      Workaround

      <script> 
      		/**
      		 * Purpose: Workaround Prevent XSS exploit on attributes
      		 * Based on version: 10.0.0
      		 * Last update: 10.0.0
      		 */
      		if(zk.version != '10.0.0'){
      		   console.warn('This override script version compatibility was tested for ZK 10.0.0. If you are running a different version, please check this script compatibility ');
      		}
      		zk.afterLoad('zk', function() {
      		    var xWidget = {};
      		    zk.override(zk.Widget.prototype, xWidget, {
      		        domTooltiptext_ : function() {
      		            var result = xWidget.domTooltiptext_.apply(this, arguments);
      		            return zUtl.encodeXMLAttribute(result);
      		        },
      		        domClass_ : function() {
      		            var result = xWidget.domClass_.apply(this, arguments);
      		            return zUtl.encodeXMLAttribute(result);
      		        }
      		    });//zk.override
      		});//zk.afterLoad
      	</script>
      

            jumperchen jumperchen
            MDuchemin MDuchemin
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: