XSS vulnerability in facet results

Created on 19 September 2024, 4 months ago

Problem/Motivation

This module does not sanitize the value attribute in hidden inputs so it can lead to an XSS injection. If an attacker can write content that is indexed in the facet source, they could inject attributes on the input.

This line injects a string in the value without escaping it. So if the string contains a ', it can be used to inject HTML.

Steps to reproduce

Have a facet result that contains foo" newattribute="foo".
Type fooin the autocomplete field and inspect the HTML.
The hidden input has unwanted attributes.

It is kindy hard to exploit this but there can be ways to exploit injections in hidden input attributes: https://portswigger.net/research/xss-in-hidden-input-fields

Proposed resolution

innerHTML is not safe, it would be better to create the input by manipulating the DOM.

Remaining tasks

User interface changes

API changes

Data model changes

🐛 Bug report

Status

Closed: duplicate

Version

2.2

Component

Code

Created by

🇫🇷France prudloff Lille

Live updates comments and jobs are added and updated live.

Security
It is used for security vulnerabilities which do not need a security advisory. For example, security issues in projects which do not have security advisory coverage, or forward-porting a change already disclosed in a security advisory. See Drupal’s security advisory policy for details. Be careful publicly disclosing security vulnerabilities! Use the “Report a security vulnerability” link in the project page’s sidebar. See how to report a security issue for details.

Comments & Activities

Issue created by @prudloff
Comment 4 months ago →
🇫🇷France prudloff Lille
Comment 4 months ago →
🇫🇷France prudloff Lille
My bad, 🐛 XSS vulnerability in facet results Fixed fixes the easiest way to exploit this because it escapes > to >. I thought I was testing the latest release and I was not...

However it is still possible to inject attributes so there still is something to fix.
I updated the summary to reflect this.
Comment 4 months ago →
🇫🇷France prudloff Lille
Status changed to Closed: duplicate 4 months ago7:01pm 19 September 2024
Comment 4 months ago →
🇫🇷France prudloff Lille
Turns out I was still not testing correctly. 🐛 XSS vulnerability in facet results Fixed does indeed fix this vulnerability, because it correctly escapes quotes.
Sorry about this.

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024