g:select tag has reflected/stored XSS vulnerability in grails 2 and 3

[gschueler]

Steps to Reproduce

1. Use the <g:select ../> tag
2. Either Provide a set of key/value pairs using optionKey or a list of strings with the from attribute
3. Any unescaped strings, or objects with unescaped key are not encoded
4. Values via URL params, or from stored domain object would cause XSS

Example:

<%
  def data=[["key":"\"></option></select><script>alert('hi')</script>", value: "option"]]
%>

<g:select name="test" from="${data}" optionKey="key" optionValue="value" />

<%
  def data2=["abc","\"></option></select><script>alert('hi')</script>"]
%>

<g:select name="test" from="${data2}" />

Expected Behaviour

The value= attribute of the <option> that is generated should be properly HTML encoded.

<select name="test">
<option value="&quot;&gt;&lt;/option&gt;&lt;/select&gt;&lt;script&gt;alert(&#39;hi&#39;)&lt;/script&gt;">option</option>
</select>

Actual Behaviour

The value= attribute of the <option> that is generated is not HTML encoded.

<select name="test">
<option value=""></option></select><script>alert('hi')</script>">option</option>
</select>

Environment Information

• Operating System: Mac OS X 10.11.6
• Grails Version: 2.5.5, 3.2.1
• JDK Version: 1.8
• Container Version (If Applicable): any

Example Application

• TODO: link to github repository with example that reproduces the issue

if necessary i can create an example repo, but it is simple to reproduce

[gschueler]

if necessary here is a demo repo using grails 2.5.5 https://github.com/gschueler/grails2-xss-demo1

[gschueler]

only mitigation seems to be to manually do .encodeAsHTML() on all values used for the <g:select> tag :/

[ColinHarrington]

The default codec for taglibs is 'none' which means that taglibs are then expected to handle the task of encoding. Your example app uses the default.

• https://github.com/gschueler/grails2-xss-demo1/blob/master/grails-app/conf/Config.groovy#L53
• http://docs.grails.org/2.5.x/guide/security.html#xssPrevention

It looks like the value is being written out here and is missing the encoding step via .encodeAsHtml() or delegating to the codecLookup

[gschueler]

Yes, I think the g:select tag is supposed to handle its own encoding, but is failing to do it on line 1075 as you mentioned. In other locations the output is correctly encoded.

Sorry, setting taglibs = 'html' in Config.groovy or taglib: html in application.yml causes all output from gsp pages to be encoded, and the user just sees HTML in the browser, so...that can't be the correct solution to this?

<!doctype html>
<html lang="en" class="no-js">
&lt;head&gt;
    &lt;meta http-equiv=&quot;Content-Type&quot; content=&quot;text/html; charset=UTF-8&quot;/&gt;
    &lt;meta http-equiv=&quot;X-UA-Compatible&quot; content=&quot;IE=edge&quot;/&gt;
    &lt;title&gt;
        Welcome to Grails
    &lt;/title&gt;

and so on...

[ColinHarrington]

@gschueler Sorry that could have been misleading. I wasn't suggesting changing the default codec as a fix. I was simply quantifying the defaults and expectations of the FormTaglib.

I can reproduce this issue.

[jameskleeh]

I'm not sure the proposed behavior is desired since the encoded value will typically be sent as a parameter to the server. If it is encoded then it won't have much value without being manually decoded in the controller. What is the use case to have string like data from the client as the value of an option?

[gschueler]

@jameskleeh the proper representation of the value in HTML is encoded. The browser will decode it.

[jameskleeh]

@gschueler I understand the browser will decode it, however if the select is in a form, I believe the encoded value will be sent in the params.

[gschueler]

@jameskleeh no, the browser will decode it into the correct value, and that value will be sent. The encoding is only to represent it in HTML. Whether the value is from client/db/hardcoded, it should be HTML-encoded in the HTML.

[jameskleeh]

@gschueler I just did a test:

GSP:

<g:form>
    <select name="foo" id="foo">
        <option value="&amp;lt;&amp;gt;">&amp;lt;&amp;gt;</option>
    </select>
    <g:submitButton name="Foo"></g:submitButton>
</g:form>

Controller:

class TestController {

    def index() {
        println params.foo
        [:]
    }
}

I am seeing <> printed to the console, which confirms my point.

[gschueler]

I think you double encoded it? If you were trying to encode <> it should be <>.

<> decoded becomes <>

change it to

<option value="&lt;&gt;">&lt;&gt;</option>

The unencoded value <> is printed.