The article describes the XSS vulnerability example on developing using the Java Script and DHTML components of Foresight Analytics Platform.
Consider the example of the ListBox component. Suppose the list of its elements is obtained from the web application database.
var data = ["list1", "<b> xss <" + "/b>"];//Suppose that this list is obtained from the server end of the web application
var listBox = new PP.Ui.ListBox({
Items: [
{ Content: data[0] },
{ Content: data[1] }
],
ParentNode: document.body
});
After executing the example the ListBox component with the list1 and xss elements is located on the page, even if list1 <b> and xss </b> were expected.
IMPORTANT. The example is given for the harmless XSS vulnerability, but the <script> element can be inserted into the element text instead of the bold tag, which redirects the user to the attacker site.
This occurred because the HTML string and the predefined domNode.Control can be written to the Context property of all controls.
It can be resolved as follows:
var data = ["list1", "<b> xss <" + "/b>"];
var listBox = new PP.Ui.ListBox({
Items: [
{ Content: PP.escapeHTML(data[0]) },
{ Content: PP.escapeHTML(data[1]) }
],
ParentNode: document.body
});
As a result, the list1, <b> xss </b> elements are obtained.
NOTE. The PP.escapeHTML function can be used if the displayed data is entered to the database by the user or administrator, or the data is planned to be entered for one of the following product versions.
See also: