Security issue - XSS #2642

jeromevoxteneo created 7 years ago

Hello,

I use the aspnet zero MVC JQuery template.

Actually I have a big issue. User is allow to enter html inside of an input of type text like "test <script>alert('test')</script>". With the actual code to make an ajax call from jtable the html is not encoded.

So my website is not XSS safed.

Did I miss something ?

I tried on a not modified version of the product aspnet zero and I don't have issued there. What should I check to make this issue out of my website ?

9 Answer(s)

0

ismcagdas created 7 years ago
Support Team

Hi,

Are you having problems when showing this data with jtable ?
0

jeromevoxteneo created 7 years ago

Yes the data showing in jtable execute the html.

So when I set in my input field: t <script>alert('security breach');</script> click on save.

jtable refresh the table and execute the script.

So I get an js alert "security breach".
0

ismcagdas created 7 years ago
Support Team

Hi,

Jtable does not have such an option right now as far as I know. Did you try to encode this specific data on the server side ?
0

jeromevoxteneo created 7 years ago

No I didn't. I was expecting to have a mechanism that automatically makes it.

By checking again the template have actually this issue:

Database:

see: <a class="postlink" href="http://hpics.li/088a0c3">http://hpics.li/088a0c3</a>

Url: <a class="postlink" href="http://localhost:6240/Mpa/Users">http://localhost:6240/Mpa/Users</a>

and you get an alert js. That means that an attacker can potentially run js file with the context of the domain and steal sensitive information.

In the Angular part the entry is html safed.
0

ismcagdas created 7 years ago
Support Team

Hi,

You are right, we will fix this. In the mean time, you can show your specific data using jtable's display function <a class="postlink" href="http://www.jtable.org/ApiReference/FieldOptions#fopt-display">http://www.jtable.org/ApiReference/Fiel ... pt-display</a>. You can encode data in this function using javascript.

jeromevoxteneo created 7 years ago

Thank you, plz keep me in touch when you find a good solution to prevent this.

Actually I'm doing this in jtable as you suggest:

lastName: {
                    title: app.localize('LastName'),
                    width: '10%',
                    //TODO: Remove when XSS issue is fixed.
                    display: function (data) {
                        return $('<div/>').text(data.record.lastName).html();
                    }
                },

0

ismcagdas created 7 years ago
Support Team

Hi,

We will try to fix it as soon as possible.

Thanks
0

jeromevoxteneo created 7 years ago

Any news about this issue ?
0

ismcagdas created 7 years ago
Support Team

Hi,

Currently we decided not to implement it in jtable. Since you will have this case in a few places of your app and probably most apps will have the same, it is better to handle this case by yourself in the way that we suggested.

Thanks.

Have an answer to this question? Log in and write your answer.