g:checkBox name attribute is not escaped, allowing potential XSS attacks
QuinnArthurBaker opened this issue · 1 comments
Steps to Reproduce
- Create a checkBox element in a gsp with a specially crafted name attribute, which involves closing the raw input tag's name attribute.
e.g. `<g:checkBox name='" onClick="console.log(1)"' /> - Load the gsp with the malicious checkbox and click it.
Expected Behaviour
Nothing. The name attribute is treated as a literal string.
Actual Behaviour
In the example given above in the Steps to Reproduce, clicking the checkbox will log a 1 in the console, as the onclick piece of the value for the name attribute is treated as a literal attribute.
Environment Information
- Operating System: Arch Linux 5.3.13
- Grails Version: 4.0.0
- JDK Version: 1.8.0_232
Example Application
https://github.com/zack-baker/demo-grails-checkbox-vulnerability
On its own, this issue is not of major concern, since a developer would be unlikely to intentionally exploit this vulnerability maliciously in their own application. However if (for whatever reason) an application allows users to submit values which are then used as the name attributes for checkbox elements in the future, users could submit malicious values to undesireably alter the checkbox for future users.
The FormTagLib tag attributes are defined by the Grails developer. In other words, the name attribute of checkBox has to be provided during development (it's a required attribute of the tag) so the application knows how to handle this data (i.e. bound to a command object or something).
So, user submitted content would never be used for the name attribute and require escaping in this manner.