Skip to content

sanitize submission value#546

Open
gtsp233 wants to merge 1 commit intoformio:master_oldfrom
gtsp233:sanitize-submission
Open

sanitize submission value#546
gtsp233 wants to merge 1 commit intoformio:master_oldfrom
gtsp233:sanitize-submission

Conversation

@gtsp233
Copy link

@gtsp233 gtsp233 commented Dec 7, 2023
edited
Loading

Fix for Cross-Site Scripting (XSS) Vulnerability

I've identified a Cross-Site Scripting (XSS) vulnerability in this package.

Vulnerability Details:

  • Severity: High/Critical
  • Description: There's a risk of malicious script execution when an adversary controls the submission content.

Steps to Reproduce:
In a React.js project, render the SubmissionGrid component with the data:

import { SubmissionGrid } from '@formio/react'

        <SubmissionGrid
          submissions={{
            limit: 1,
            pagination: {
              page: 1,
              numPages: 1,
              total: 1,
            },
            submissions: [
              {
                id: "1",
                isHtml: true,
                content: `<img src='' onError=alert(1)`,
                data: {
                  firstName: (submission) => {
                    return "1";
                  },
                  lastName: `<img src='' onError=alert(1)>`,
                },
              },
            ],
          }}
          form={{
            components: [
              {
                type: "textfield",
                key: "firstName",
                label: "First Name",
                input: true,
                tableView: true,
              },
              {
                type: "button",
                key: "lastName",
                label: "Last Name",
                input: true,
                tableView: true,
              },
            ],
          }}
          columns={[
            {
              key: "firstName",
              label: "First Name",
              sort: true,
              value: (submission) => {
                return {
                  content: submission.data.lastName,
                  isHtml: true,
                };
              },
            },
          ]}
/>

Then the malicious code alert(1) will be executed.

Suggested Fix or Mitigation:
It is best practice for a React.js components package to sanitize content before passing it to dangerouslySetInnerHTML, even when the data has been pre-sanitized on the server side.

I've used isomorphic-dompurify to sanitize the submission content and tested it locally. Please review and merge my pull request at your earliest convenience to resolve this vulnerability. Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@gtsp233