search

space10-community / conversational-form

Turning web forms into conversations
https://space10-community.github.io/conversational-form/
MIT License
3.8k stars 771 forks source link

XSS Vulnerability #29

Closed jhonnymoreira closed 7 years ago

jhonnymoreira commented 8 years ago

Description

The image below shows the result when trying to execute some code through the input. The message was: <img src="x" onerror="alert('XSS Vulnerability')">. Since there isn't an image with name 'x', it causes to trigger the onerror function, which means the input value isn't getting sanitized and it is opening a security breach.

XSS on Demo

How to solve?

Whenever dealing with user input, sanitize the input with a safeString method, otherwise, the vulnerability will persist.

How to simulate the problem

  1. Open the demo
  2. Type a code that triggers some function related to error, such as <img src="x" onerror="document.location = 'https://twitter.com'">
  3. The expected result is to get redirected to Twitter
jhonnymoreira commented 8 years ago

I would be glad to help on the issue and send a patch to solve this problem. While reviewing the code I saw a piece of code that I'm almost sure is causing the security breach:

https://github.com/space10-community/conversational-form/blob/master/src/scripts/cf/ui/UserInput.ts#L102-L104

// /src/scripts/cf/ui/UserInputs.ts
// Lines: 102 to 104
public getInputValue():string{
  return this.inputElement.value;
}

Proof of concept

const poc = value => value;

poc( (() => { console.log('XSS Vulnerability' })() );
felixknox commented 8 years ago

@jhonnymoreira nice! You are more than welcome to make a PR with a fix.

jhonnymoreira commented 8 years ago

Hey, @felixnielsen, today I wasnt able to work on the patch, tomorrow I'll have a free time to fix this, ok?

felixknox commented 8 years ago

Thanks @jhonnymoreira just ping me if any questions.