URL Path XSS Vulnerability

Question

URL Path XSS Vulnerability

Closed this issue 6 years ago · 1 comments

An XSS vulnerability has been observed using the README example.

To reproduce, run the following application

from tornado import web, ioloop
from sockjs.tornado import SockJSRouter, SockJSConnection

class EchoConnection(SockJSConnection):
    def on_message(self, msg):
        self.send(msg)

if __name__ == '__main__':
    EchoRouter = SockJSRouter(EchoConnection, '/echo')

    app = web.Application(EchoRouter.urls)
    app.listen(9999)
    ioloop.IOLoop.instance().start()

Then, visit this url: http://localhost:9999/echo/201/nurtnfen/htmlfile?c=1_%3C/script%3E%3Cscript%3Eprompt(document.domain)%3C/script%3E

This is visible in Firefox, since Chrome comes with a built-in XSS Auditor that prevents the actual page load with ERR_BLOCKED_BY_XSS_AUDITOR.

I believe this is caused entirely by how the HTMLFILE_HEAD template is rendered, making use of possibly unsafe user input.

Answer 1 · 2018-10-19T14:54:11.000Z

Thank you! Fixed, pushed a new version to PyPI.