-
Bug
-
Resolution: Fixed
-
Blocker
-
10.0.0, 10.0.1, 10.0.1.1
-
None
-
Security Level: Jean
-
None
-
None
2024-10-11 - Reopened additonal cases of domPurify with partial content (see comment)
2024-10-09 - Reopened: additonal cases of domPurify failing with partial content:
https://zkfiddle.org/sample/342cc7c/2-domSanitze-errors-due-to-partial-html
Open fiddle, search of the string:
onClick
current result:
All of the samples above allow a onClick="..." string to escape from a DOM attribute, and register another attribute, such as a JS listener or others, and can be used as an XSS vector.
Expected result
Attributes are not escapable
Debug information
The core of the issue is that the DomPurify library only works with full HTML elements
A full element is either a full node, or an implicite text node.
A series of attributes without an opening tag causes the DomPurify library to incorectly "fix" the quotes / doublequotes, and as a result causes potential XSS scenarios
Dom purify is used in more locations than the ones reported in the current sample, and may still cause issues.
Even if this sample string doesn't trigger the issue, since DomPurify fails to correctly escape the attribute content in the scenario above, it is reasonable to expect that a well-crafted malicious string could be created for other cases with the same results.
2024-10-08 - Reopened: updated fiddle with reproducing case
https://zkfiddle.org/sample/1r8ig9m/2-dompurify-partial-html-updated
current result:
Using \" inside of a style value transform the " into ' character, instead of encoding it to "
If the string is delimited by single quotes, this allow the value to end the current single-quote delimited string and start another CSS rule.
Expected result
Style value cannot use \" to break out of a rule and create new unintended rules
Steps to Reproduce
Run fiddle
https://zkfiddle.org/sample/1r8ig9m/1-dompurify-partial-html
Current Result
the attribute cleanup fails for 2nd row, causing tooltipText to spill into DOM content
Expected Result
attribute content doesn't spill in dom content
Debug Information
Caused by DomPurify.sanitize incorrectly adding string ending doublequote inside of an existing attribute.
This happens on partial html content passed to DomPurify sanitize.
Doesn't happen on fully formed dom element content
Run in JS console as test samples:
DOMPurify.sanitize("<div id= title='<a href>'></div>")
> `<div href="" id="title='<a">'></div>`
href word inside of title, removed when inside of fully formed div outer element
DOMPurify.sanitize("<div id= title='<a foo>'></div>")
> `<div id="title='<a">'></div>`
foo word inside of title, removed when inside of fully formed div outer element
DOMPurify.sanitize("id= title='<a href>'")
> `id= title='<a href="">'</a>`
attribute content broken, href receives doublequotes, breaks attribute to dom content
DOMPurify.sanitize("id= title='<a foo>'")
> "id= title='<a>'</a>"
attribute content broken, but doesn't escape to dom content
Workaround
<script><![CDATA[ zk.afterLoad('zk', function() { var xzUtl = {}; zk.override(zUtl, xzUtl, { encodeXMLAttribute : function() { var result = xzUtl.encodeXMLAttribute.apply(this, arguments); return result.replaceAll('<', '<'); } });//zk.override });//zk.afterLoad ]]></script>