dustjs icon indicating copy to clipboard operation
dustjs copied to clipboard

Published 20 hours ago verified publisher icon linkedin

XSS vulnerability

Open dhruvgognaa opened this issue 8 years ago • 5 comments

While playing around with the filters on http://www.dustjs.com/docs/syntax/ under "{reference}" section, I noticed that if I change the value of "markup" to <img src=x onerror=alert(125)>`, the alert box pops up, and none of the filters (s, j, h) resolve the issue (Sorry it even came to hit and trial to see if I was missing anything on my end). Not sure if the team is aware of the issue, but wanted to put out there

Dust template: {name} is a valid Dust reference.{~n} {0name} is not a valid Dust reference.{~n} {.name} is a valid Dust reference.{~n} {.} is a valid dust reference.{~n} {markup|h}: HTML is escaped by default.

Data: { "name": "name", "0name": "0name", "markup": "" }

Compiled Dust: (function(dust){dust.register("reference",body_0);function body_0(chk,ctx){return chk.f(ctx.get(["name"], false),ctx,"h").w(" is a valid Dust reference.\n{0name} is not a valid Dust reference.\n").f(ctx.getPath(true, ["name"]),ctx,"h").w(" is a valid Dust reference.\n").f(ctx.getPath(true, []),ctx,"h").w(" is a valid dust reference.\n").f(ctx.get(["markup"], false),ctx,"h",["h"]).w(": HTML is escaped by default.");}body_0.__dustBody=!0;return body_0}(dust));

Output: name is a valid Dust reference. {0name} is not a valid Dust reference. name is a valid Dust reference. [object Object] is a valid dust reference. : HTML is escaped by default.

dhruvgognaa avatar Jul 25 '16 23:07 dhruvgognaa

@smfoote can you peek at this?

sethkinast avatar Jul 25 '16 23:07 sethkinast

Wellll whad'ya know, "markup" is supposed to be <img src=x onerror=alert(123)>

dhruvgognaa avatar Jul 25 '16 23:07 dhruvgognaa

As far as I can tell, there is an error in how the demo web component is escaping HTML in the JSON. I don't believe this is an XSS hole in Dust itself. I'll keep researching.

smfoote avatar Jul 26 '16 16:07 smfoote

Yeah I think it's definitely just the component, that was why I thought you might know best how to handle it. It's just a self xss so not critical, no worries

On Tue, Jul 26, 2016, 9:33 AM Steven [email protected] wrote:

As far as I can tell, there is an error in how the demo web component is escaping HTML in the JSON. I don't believe this is an XSS hole in Dust itself. I'll keep researching.

— You are receiving this because you commented.

Reply to this email directly, view it on GitHub https://github.com/linkedin/dustjs/issues/740#issuecomment-235325894, or mute the thread https://github.com/notifications/unsubscribe-auth/ABVa7K_IA0jXe1MVM_09BGTukmVmUF_Rks5qZjbLgaJpZM4JUol9 .

sethkinast avatar Jul 26 '16 16:07 sethkinast

It's a weird one, and now I'm curious.

smfoote avatar Jul 26 '16 16:07 smfoote