XSS vulnerability in HTMLSanitizer might be insufficiently handled

dabide · May 16, 2021, 7:57pm

As stated elsewhere, @MedAziz1 recently blogged about the vulnerability in HTMLSanitizer that he reported back in 2019, resulting amongst other in this article and a tweet by the CVE team.

Aziz also expresses these worries: “The 2.0 version of its framework hasn’t been released and its biggest 1.x contributor is now working at Microsoft on fast so it remains to be seen what the future of the Aurelia framework [and its security] is,” he commented.

In the original discussion, @EisenbergEffect concluded this way:

I am not convinced that this addresses the concerns sufficiently. Many people will use the sanitizeHTML value converter without knowing about the issues, especially if they started using it before the docs were edited in 2019. There’s no guarantee that they will see the warning in the console, either.

My suggestion would be the following:

Make HTMLSanitizer throw an error in its sanitize() function, requiring supplying a “real” implementation to work at all.
Deprecate all previous versions of the aurelia-templating-resources NPM package, and possibly also aurelia-bootstrapper.
(Perhaps too radical?) Make innerhtml.bind require and use a sanitizer implementation, with an explicit option to override.

MedAziz1 · May 17, 2021, 10:46pm

Hello There,

Since there is already a discussion for this, I’d like to add a little something.
In the last couple of days, I’ve decided to check the pre-release version of Aurelia 2. I found that this issue appears to have found its way there . As can be seen below, the same default sanitizer (written in a slightly different way) is being used on the untrusted markup.

Concerned file:

github.com

aurelia/aurelia/blob/master/packages/runtime-html/src/resources/value-converters/sanitize.ts

import { DI } from '@aurelia/kernel';
import { valueConverter } from '@aurelia/runtime';

const SCRIPT_REGEX = /<script\b[^<]*(?:(?!<\/script>)<[^<]*)*<\/script>/gi;

export interface ISanitizer {
  /**
   * Sanitizes the provided input.
   *
   * @param input - The input to be sanitized.
   */
  sanitize(input: string): string;
}

export const ISanitizer = DI.createInterface<ISanitizer>('ISanitizer', x => x.singleton(class {
  public sanitize(input: string): string {
    return input.replace(SCRIPT_REGEX, '');
  }
}));

This file has been truncated. show original

dabide · May 19, 2021, 6:46am

I created an issue for this:

github.com/aurelia/aurelia

ISanitizer should not have an insecure default implementation

opened 06:45AM - 19 May 21 UTC

dabide

# 💬 RFC ## 🔦 @MedAziz1 yesterday [pointed out on the Aurelia Discord](https://…discourse.aurelia.io/t/xss-vulnerability-in-htmlsanitizer-might-be-insufficiently-handled/4219/2?u=dabide) that Aurelia 2 has the same vulnerability in its default HTML sanitizer implementation that Aurelia 1 has: https://github.com/aurelia/aurelia/blob/master/packages/runtime-html/src/resources/value-converters/sanitize.ts `ISanitizer` should either not have a default implementation, or have a secure one. Otherwise, the default implementation will create a false sense of security, and many will unwittingly use it without knowing that it only supplies a very basic level of protection. Putting a warning in the documentation won't necessarily help much, because it might have been introduced into the codebase by somebody else, and the developer is just following pattern, or they just found it in some search result.

Topic		Replies	Views
Vulnerability Disclosure Contact	10	1909	May 15, 2019
How to Handle HTML Sanitization in Aurelia 2? Help Requests	0	1	June 27, 2024
Plugin for using DOMPurify as Aurelia's HTML sanitizer Framework Knowledge	29	1649	May 22, 2021
Security Concerns in Aurelia	9	2235	November 22, 2017
Where is Aurelia 2's HTMLSanitizer? vNext	7	231	July 3, 2024

XSS vulnerability in HTMLSanitizer might be insufficiently handled

Related topics