Skip to content

XSS in tagify's template wrapper #988

Closed
@rrott

Description

@rrott

Prerequisites

  • I am running the latest version
  • I checked the documentation and found no answer
  • I checked to make sure that this issue has not already been filed

💥 Demo Page

React issue template:
tagify-react-wrapper-forked

Explanation

We have found a bug in tagify's template wrapper that leads to XSS vulnerability, making applications that use tagify.js or react.tagify vulnerable as well.

An attacker can use XSS to send a malicious script to an unsuspecting user. The end user's browser has no way to know that the script should not be trusted and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site. These scripts can even rewrite the content of the HTML page.

Refs:

https://owasp.org/www-community/attacks/xss/
https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html

Affected file:

https://github.com/yairEO/tagify/blob/master/src/parts/templates.js#L13

data-placeholder="${_s.placeholder || '​'}"
aria-placeholder="${_s.placeholder || ''}"

Example on codesandbox.io

Steps to reproduce:

  1. Open the following forked Tagify's React Wrapper demo
  2. Notice line #17 where a customUserInput variable is declared. This variable mocks data that came from an API or an input.
  3. On the line #23 we use the customUserInput variable to customize tags.
  4. Once the demo app is rendered, open the "Tags" tab and hover on the first input. It will fire the XSS.

The following screenshot shows the XSS run on codesandbox.io
Screenshot 2022-02-16 at 16 40 08

The following screenshot shows the same XSS run in the dev build of the app.
Screenshot 2022-02-16 at 17 36 28

As you see, the tagify builds a new span with an attribute that was not supposed to be there.

Metadata

Metadata

Assignees

No one assigned

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions