fronts icon indicating copy to clipboard operation
fronts copied to clipboard

Published 20 hours ago verified publisher icon unadlib

Fix for Cross-Site Scripting (XSS) Vulnerability

Open gtsp233 opened this issue 1 year ago • 1 comments

Hi, I've found a Cross-Site Scripting (XSS) vulnerability in this package.

Vulnerability Details:

  • Severity: High/Critical
  • Description: There's a risk of malicious script execution when the src of the iframe tag is controlled by an adversary.

Steps to Reproduce: In a React.js project:

import React from "react";
import ReactDOM from "react-dom/client";
import { useIframe } from "fronts";

function App() {
  useIframe({
    url: "javascript:alert(1)",
    name: "test",
    attrs: {},
    target: document.getElementById("root"),
  });
  return <div />
}

const root = ReactDOM.createRoot(document.getElementById("root"));
root.render(
  <React.StrictMode>
    <Provider store={store}>
      <App />
    </Provider>
  </React.StrictMode>
);

Then the malicious code alert(1) will be executed.

Suggested Fix or Mitigation: It is best practice for a React.js components package to sanitize the sec attribute before passing it to an

As for the fronts packages, it's expected that the iframe src should not be javascript protocol.

I've already fixed this issue, and have submitted a pull request with the necessary changes. Please review and merge my pull request to resolve this vulnerability.

If you have any questions, please let me know. Thanks!

gtsp233 avatar Dec 12 '23 01:12 gtsp233

I don't think this is a situation that the framework should have to cover, it should be handled by the developer themselves with settings such as CSP or sandbox, including qualifying trusted urls to secure the iframe.

unadlib avatar Dec 14 '23 10:12 unadlib