Currently the auth.js file contains XSS vulnerabilities which allow to inject code on the error callback via URL. e.g. /_callback?error=%3Cscript%3Ealert(1)%3C/script%3E. This is possible since the query parameters for error, errorDescription and errorUri are rendered into the html body without DOM sanitization.
// Relevant lines that retrieve the query parameters, line 202-217
if (errors[queryString.error] != null) {
error = errors[queryString.error];
} else {
error = queryString.error;
}
...
// Relevant lines in the auth.js file that generate the html, line 412
<div class="cover"><h1>${error}</h1><small>Error 401</small><p class="lead">${errorDescription}</p><p>${errorUri}</p></div>
I consider this as a critical issue to fix in the sample code or at least highlight in the README as it might allow grabbing session cookies or stealing login information by rendering a login UI.
Currently the
auth.js
file contains XSS vulnerabilities which allow to inject code on the error callback via URL. e.g./_callback?error=%3Cscript%3Ealert(1)%3C/script%3E
. This is possible since the query parameters forerror
,errorDescription
anderrorUri
are rendered into the html body without DOM sanitization.I would propose a fix by using https://github.com/cure53/DOMPurify to sanitize the DOM body:
I consider this as a critical issue to fix in the sample code or at least highlight in the README as it might allow grabbing session cookies or stealing login information by rendering a login UI.