Normal Steps to Reproduce
Run attached sample (zk 10.0.0)
Copy reproducing string (red string) into "product description"
Click "use user data for link attribute content" and "use user data for window attribute content"
Click on link, click on "click here for XSS" window header
Current Result
click on link and click on window trigger alert from injected JS onClick attribute
Expected Result
Attribute content shouldn't be able to break out attribute and create additional attributes
Debug Information
Appear to be caused by DomPurify.sanitize not identifying doubleQuote attribute break, if the tested string is not a fully formed tag (starting with < and ending with >)
Workaround
<script> /** * Purpose: Workaround Prevent XSS exploit on attributes * Based on version: 10.0.0 * Last update: 10.0.0 */ if(zk.version != '10.0.0'){ console.warn('This override script version compatibility was tested for ZK 10.0.0. If you are running a different version, please check this script compatibility '); } zk.afterLoad('zk', function() { var xWidget = {}; zk.override(zk.Widget.prototype, xWidget, { domTooltiptext_ : function() { var result = xWidget.domTooltiptext_.apply(this, arguments); return zUtl.encodeXMLAttribute(result); }, domClass_ : function() { var result = xWidget.domClass_.apply(this, arguments); return zUtl.encodeXMLAttribute(result); } });//zk.override });//zk.afterLoad </script>
