Html-encoded content of a table is rendered als mark-up in de table filter list of checkboxes
Opened this issue · 0 comments
I discovered an issue where XSS-injection is facilitated by the plug-in.
The plug-in will parse all cells of the table it is added to. During this parsing, the innerText properties of the tds are used. When the cells contains encoded mark-up, the encoding is lost and the mark-up will be interpreted, thus creating a XSS-vulnerability.
This example demonstrates the problem:
<!DOCTYPE html>
<html lang="en">
<head>
<title>XSS example with column filter in Excel-like-Bootstrap-Table-Sorting-Filtering-Plugin</title>
<script src="https://code.jquery.com/jquery-3.4.1.js"></script>
<script src="excel-bootstrap-table-filter-bundle.js"></script>
</head>
<body>
<table>
<thead>
<tr>
<th>Column A</th>
</tr>
</thead>
<tbody>
<tr><td>Plain text</td></tr>
<tr>
<td><svg onload=alert("Here's some injected script!")></td>
</tr>
<tr>
<td><svg onload=prompt(document.cookie)></td>
</tr>
</tbody>
</table>
<script>
$(function() {
$('table').excelTableFilter({});
});
</script>
</body>
</html>
Upon opening the page, you will receive two javascript alerts.
This issue was produced with a copy of https://raw.githubusercontent.com/chestercharles/excel-bootstrap-table-filter/master/dist/excel-bootstrap-table-filter-bundle.js and it assumes that the plugin js file is available in the directory where the html file is located.
In my case, the table is filled with user-provided data, through an upload. I thought that I didn't have an issue, as I was encoding the data properly, but hadn't thought of this issue.
Of course, I have other means to mitigate the vulnerability and will apply them, but I think this issue could easily be resolved by maintaining the encoding in the checkbox labels.