Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Address potential XSS vulnerability #183

Open
maxatdetroit opened this issue Mar 13, 2024 · 0 comments
Open

Address potential XSS vulnerability #183

maxatdetroit opened this issue Mar 13, 2024 · 0 comments
Assignees
@maxatdetroit
Labels
bug Something isn't working prioritization-required This issue needs to be prioritized for future releases.

Comments

@maxatdetroit
Copy link
Member

maxatdetroit commented Mar 13, 2024
edited
Loading

Describe the bug

https://github.com/CityOfDetroit/COD-Design-System/security/code-scanning/246

See additional considerations below for an example of how an exploit could be crafted if the cod-icon were used in a peculiar way.

Solutions:

  1. (Short-term) Don't ever let data-size attribute value flow into the svg template string.
  2. (Long-term) Create the SVG elements using JS DOM APIs instead of directly setting innerHTML

Additional Considerations

Given the way Icon.js is written, an XSS is extremely unlikely though can't be ruled out entirely.

Consider lines 16-38 and lines 50-52 of Icon.js. The only possibility of DOM based XSS would be if someone using the cod-icon component allowed user-input to flow into the data-size attribute of cod-icon in which case it would be passed through to the template string for the icon <svg/> (lines 50-52). Even then, the user-input would have to use some escaping technique to break from the SVG and execute arbitrary code. Something like data-size="\"</svg><img src='404' onerror='alert('malicious code')'>".
@maxatdetroit maxatdetroit added the bug Something isn't working label Mar 13, 2024
@maxatdetroit maxatdetroit self-assigned this Mar 13, 2024
@maxatdetroit maxatdetroit changed the title Address using DOM text as HTML issue Address potential XSS vulnerability Mar 14, 2024
@maxatdetroit maxatdetroit mentioned this issue Mar 14, 2024
Merged
@maxatdetroit maxatdetroit added the prioritization-required This issue needs to be prioritized for future releases. label Apr 19, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@maxatdetroit maxatdetroit

Labels
bug Something isn't working prioritization-required This issue needs to be prioritized for future releases.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@maxatdetroit