Fixed XSS #67
Fixed XSS #67
Conversation
|
@AlexKlimenkov Can you take a look at this fix. |
|
Hi @Aravindha1234u ! Thank you for your suggestion! This is a design solution and is not considered XSS issue. dhtmlxGantt is used as a part of a client-server web application, where gantt is one of the components used on the client-side. The fact that you can enter a value that will execute javascript on the page opened by you is not the issue by itself. There is no way to prevent you from executing any arbitrary code on the page opened by you since you can always open the browser console and run code there. Our current position is that it's the responsibility of the backend server to sanitize/clean the data either before saving it to the DB or before passing it to the client-side where it's consumed by gantt. If the backend is implemented safely such an XSS attack is not possible. As for why dhtmlxGantt doesn't clean the data by default, it's due to how it's used. If you want to add an extra layer of protection, you can redefine templates to strip html before output and/or escape data before saving https://docs.dhtmlx.com/gantt/desktop__app_security.html#xssattacks |
|
Hi @AlexKlimenkov, I got it. I just fixed for disclosure which was opened by another researcher in huntr.dev, so that might able for claim for bounty, if you merge my PR |
馃搳 Metadata *
Bounty URL: https://huntr.dev/bounties/1-npm-dhtmlx-gantt
鈿欙笍 Description *
dhtmlx-gantt javascript library renders json data into charts. Which does not care about data encoding before rendering into charts. I have escaped the HTML tags and other using javascript prefined function.
馃捇 Technical Description *
I have escaped all text will rendering the data
馃悰 Proof of Concept (PoC) *
Payload :
<img src=x onerror=alert(document.location)>add this to task information.
馃敟 Proof of Fix (PoF) *
馃憤 User Acceptance Testing (UAT)