Stored XSS Vulnerability

[prodigysml]

Description

An attacker can arbitrarily execute JS code in another user's browser.

Steps to reproduce

1. Log in with a valid user
2. Change the user's display name to <img src=x onerror=alert(1)>
3. Log out of the account.
4. Log into an admin user
5. Navigate to the user page (listing all users). Notice an alert box pops up showing execution of JS

Remediation

When printing this variable out, simply HTML encode it.

[austintoddj]

Thanks for opening this @prodigysml. We'll see what we can do about getting this into a future release.

[gmce93]

Looks to be an issue with how jQuery Bootgrid is re-rendering the table. Although we have escaped the data with Laravel, Bootgrid re-inserts the cell data in a html node, rather than a text node.

Looks like there is an open PR on the Bootgrid repo for this, but there is a fix that we could make on our side:
https://gist.github.com/glennmcewan/d1435dd3894049b1be7defe58bc83fb5

It does remove the XSS issue, but of course it's not ideal and it's not a blanket solution. @austintoddj thoughts? I'll PR it if you're happy with this as a fix.

@prodigysml thanks for raising an issue; have you found any other instances?

[austintoddj]

First off, thanks for taking the time to create the issue. Closing because everything v3.x related will remain as-is and won’t receive anymore updates. The next release is slated for this week, so stay tuned!