Security Fix for Cross-site Scripting (XSS) - huntr.dev #586
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[FIX] XSS validating context and encoding HTML
|
Could we get this high severity XSS vulnerability security bug looked at? |
wincent
added a commit
to liferay/liferay-frontend-projects
that referenced
this pull request
Feb 8, 2021
Applies the suggested fix that is sitting in an unmerged PR on the upstream repo: jquery-form/form#586
This was referenced Feb 8, 2021
|
If the project is abandoned, please let us know, but if not, it's coming close to a year for a couple lines fix for a security bug... Thanks! |
|
Just a ping on this -- its a high vuln, with a fix, can someone with writeaccess merge this in? |
# for free
to join this conversation on GitHub.
Already have an account?
# to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
https://huntr.dev/users/Mik317 has fixed the Cross-site Scripting (XSS) vulnerability 🔨. Mik317 has been awarded $25 for fixing the vulnerability through the huntr bug bounty program 💵. Think you could fix a vulnerability like this?
Get involved at https://huntr.dev/
Q | A
Version Affected | ALL
Bug Fix | YES
Original Pull Request | 418sec#1
GitHub Issue URL | #464
Vulnerability README | https://github.com/418sec/huntr/blob/master/bounties/npm/form/1/README.md
User Comments:
📊 Metadata *
Please enter the direct URL for this bounty on huntr.dev. This is compulsory and will help us process your bounty submission quicker.
Bounty URL: https://www.huntr.dev/bounties/1-npm-form
⚙️ Description *
The
formlibrary suffered of aXSSissue, which was caused by 2 minor issues inside thecode, which made possible the usage ofevalonunsanitized values(inside the "override" ofparseJSON) andhtml parsingon aunsanitized AJAX response.💻 Technical Description *
The 2 issues have been fixed in the following way:
The
evalinside theparseJSONfunction has been removed, while it's been added aerrorwhich arises when the default$.parseJSONfunction (onjquery) isn't declared (anyone with good intentions would simply add thejqueryscript on the page and all works correctly again).The
)
unsanitized AJAX responsewas previously passed toparseHTMLwithout any check, making possible inject additionalHTML. I used a peculiarity ofjqueryto translate theHTMLnodes evaluated intotext nodes, which are equal toHTML encoded entities(can be verified seeing this:🐛 Proof of Concept (PoC) *
No PoC was provided, so I worked mostly theoretically on the issue/lines identified by the 2 issues in the
original repo🔥 Proof of Fix (PoF) *
Theoretical fix 😄
👍 User Acceptance Testing (UAT)
Can't be sure of this but seems all OK (nodes are still nodes of different type and a function is null --> arises exception due to a function undefined)