[Vulnerbability]: XSS Cross Site Scripting

shinokada / svelte-heros-v2

Hero Icons v2 for Svelte. You can select outline and solid icons using the variation props. Svlete-Heros support major CSS framework. You can add additional CSS using the `class` props.

https://svelte-heros-v2.codewithshin.com

Apache License 2.0

41 stars 3 forks source link

[Vulnerbability]: XSS Cross Site Scripting #15

Closed ZoneTwelve closed 1 year ago

ZoneTwelve commented 1 year ago

Description of the bug

Based on the code, I saw the rendering method is using String Template literals to process the color user just gives.

Exploit Screenshot Exploit

Prove of Concept

Steps To Reproduce

write the XSS in the parameter, ex. color, strokeWeight, etc...
execute the site you are running.
got the alert popup

Additional Information

No response

shinokada commented 1 year ago

Your color prop quote has " and '.

It should be:

<Eye size="50" color='red' />

ZoneTwelve commented 1 year ago

Thank you for the response. But I think you missing understanding the purpose of the following code if we got users who don't understand how the code work. that might cause a Cross-Site-Scripting (XSS) in the arguments rendering process. In my thought, you should replace the String Template Iteration with another safer method.

shinokada commented 1 year ago

Thank you for the clarification. I appreciate it, and I will see what I can do to address the issue.

shinokada commented 1 year ago

Can you check with svelte-heros-v2@0.5.1 and let me know if it solves this issue?

ZoneTwelve commented 1 year ago

Hello shinokada, I received your message, and I have written a Proof of Concept for your project svelte-heros-v2-vuln-PoC. If you want to try it yourself using the previous vulnerability, you can follow the instructions provided in my README.

I'm confident that, at the very least, it will no longer be able to execute my payload.