Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Potential XSS CWE-80 on line 36 #149

Open
phpguru opened this issue Mar 8, 2017 · 2 comments
Open

Potential XSS CWE-80 on line 36 #149

phpguru opened this issue Mar 8, 2017 · 2 comments

Comments

@phpguru
Copy link

phpguru commented Mar 8, 2017

Our latest security scan identified line 36 of svg4everybody.js as a potential security flaw. I may not be reading the source code correctly, but thought it might be good to sanitize or otherwise validate the response text.

Line 36
cachedDocument.body.innerHTML = xhr.responseText, xhr._cachedTarget = {})

CWE-80 Improper Neutralization of Script-Related HTML Tags in a Web Page
Attack Vector: innerHTML
Description: This call to innerHTML() contains a cross-site scripting (XSS) flaw. The application populates the HTTP response with user-supplied input, allowing an attacker to embed malicious content, such as Javascript code, which will be executed in the context of the victim's browser. XSS vulnerabilities are commonly exploited to steal or manipulate cookies, modify presentation of content, and compromise confidential information, with new attack vectors being discovered on a regular basis.
Remediation: Use contextual escaping on all untrusted data before using it to construct any portion of an HTTP response. The escaping method should be chosen based on the specific use case of the untrusted data, otherwise it may not protect fully against the attack. For example, if the data is being written to the body of an HTML page, use HTML entity escaping; if the data is being written to an attribute, use attribute escaping; etc. Both the OWASP Java Encoder library and the Microsoft AntiXSS library provide contextual escaping methods. For more details on contextual escaping, see https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet. In addition, as a best practice, always validate user-supplied input to ensure that it conforms to the expected format, using centralized data validation routines when possible.
@DanielRuf
Copy link

DanielRuf commented Oct 19, 2017
edited
Loading

The response is the content of the XML SVG file. It strips the hash from the use href value and loads it directly. Not sure where here is an XSS as the value is set by the HTML once and then replaced with the actual SVG content. A normal AJAX request which replaces the use tag.

@kimek
Copy link

kimek commented Jul 18, 2018

@phpguru This could be an issue if cachedDocument will be html document. CachedDocument is an svg and it's checked before

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@phpguru @DanielRuf @kimek