Base solution for your next web application
Open Closed

Security issue - XSS #2642


User avatar
0
jeromevoxteneo created

Hello,

I use the aspnet zero MVC JQuery template.

Actually I have a big issue. User is allow to enter html inside of an input of type text like "test <script>alert('test')</script>". With the actual code to make an ajax call from jtable the html is not encoded.

So my website is not XSS safed.

Did I miss something ?

I tried on a not modified version of the product aspnet zero and I don't have issued there. What should I check to make this issue out of my website ?


9 Answer(s)
  • User Avatar
    0
    ismcagdas created
    Support Team

    Hi,

    Are you having problems when showing this data with jtable ?

  • User Avatar
    0
    jeromevoxteneo created

    Yes the data showing in jtable execute the html.

    So when I set in my input field: t <script>alert('security breach');</script> click on save.

    jtable refresh the table and execute the script.

    So I get an js alert "security breach".

  • User Avatar
    0
    ismcagdas created
    Support Team

    Hi,

    Jtable does not have such an option right now as far as I know. Did you try to encode this specific data on the server side ?

  • User Avatar
    0
    jeromevoxteneo created

    No I didn't. I was expecting to have a mechanism that automatically makes it.

    By checking again the template have actually this issue:

    Database:

    see: <a class="postlink" href="http://hpics.li/088a0c3">http://hpics.li/088a0c3</a>

    Url: <a class="postlink" href="http://localhost:6240/Mpa/Users">http://localhost:6240/Mpa/Users</a>

    and you get an alert js. That means that an attacker can potentially run js file with the context of the domain and steal sensitive information.

    In the Angular part the entry is html safed.

  • User Avatar
    0
    ismcagdas created
    Support Team

    Hi,

    You are right, we will fix this. In the mean time, you can show your specific data using jtable's display function <a class="postlink" href="http://www.jtable.org/ApiReference/FieldOptions#fopt-display">http://www.jtable.org/ApiReference/Fiel ... pt-display</a>. You can encode data in this function using javascript.

  • User Avatar
    0
    jeromevoxteneo created

    Thank you, plz keep me in touch when you find a good solution to prevent this.

    Actually I'm doing this in jtable as you suggest:

    lastName: {
                        title: app.localize('LastName'),
                        width: '10%',
                        //TODO: Remove when XSS issue is fixed.
                        display: function (data) {
                            return $('<div/>').text(data.record.lastName).html();
                        }
                    },
    
  • User Avatar
    0
    ismcagdas created
    Support Team

    Hi,

    We will try to fix it as soon as possible.

    Thanks

  • User Avatar
    0
    jeromevoxteneo created

    Any news about this issue ?

  • User Avatar
    0
    ismcagdas created
    Support Team

    Hi,

    Currently we decided not to implement it in jtable. Since you will have this case in a few places of your app and probably most apps will have the same, it is better to handle this case by yourself in the way that we suggested.

    Thanks.