Bug 43755 – Strengthen javascript utilities against XSS attacks

Bug 43755 - Strengthen javascript utilities against XSS attacks


Summary:	Strengthen javascript utilities against XSS attacks

Status:	NEW

Product:	UCS
Classification:	Unclassified
Component:	UMC (Generic)
Version:	UCS 5.0
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	---
Assigned To:	UMC maintainers
QA Contact:	UMC maintainers

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2017-03-08 17:04 CET by Florian Best
Modified:	2021-07-06 12:17 CEST (History)
CC List:	1 user (show)

See Also:	44498 40808 48812
What kind of report is it?:	Security Issue
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):	Security
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Florian Best

2017-03-08 17:04:03 CET

We have various places in the Javascript code where no escaping of HTML is done.
This might lead to parsing errors in the browser (e.g. if the content contains a ">") and even - if the content is build up from user input - to XSS attacks, which allow to do requests with the valid session of logged in users.

E.g. the following functions…:
umc.dialog.alert()
umc.dialog.confirm()
umc.dialog.confirmForm()
umc.widgets.Text
… probably more …

…could take additional parameters, if they allow HTML content.
Most often this is not needed, so the default should be false.

Comment 1 Florian Best

2017-03-27 19:29:52 CEST

Also _Module.set('title') doesn't escape HTML (this is used in UDM with HTML). A flag _Module.titleAllowHTML should be implemented.

Comment 2 Florian Best

2017-05-23 11:17:03 CEST

Bug #44498 is one example, where the attack vector is the progress bar.

Comment 3 Florian Best

2021-07-06 12:17:09 CEST

diff --git management/univention-web/js/widgets/LabelPane.js management/univention-web/js/widgets/LabelPane.js
index b6d693e69d..dc6766ea34 100644
--- management/univention-web/js/widgets/LabelPane.js
+++ management/univention-web/js/widgets/LabelPane.js
@@ -111,6 +111,8 @@ define([
                //              Whether this LabelPane is in a layout with non CheckBox widgets
                betweenNonCheckBoxes: true,
 
+               allowLabelHTML: false,
+
                constructor: function(params) {
                        this._startupDeferred = new Deferred();
 
@@ -281,17 +283,18 @@ define([
                                return;
                        }
 
+                       var labelHTML = this.allowLabelHTML ? label : entities.encode(label);
                        // if we have a widget which is required, add the string ' (*)' to the label
                        if (this._isContentAWidget() && this._isContentRequired()) {
-                               label = label + '&nbsp;*';
+                               labelHTML = labelHTML + '&nbsp;*';
                        }
                        this.label = label;
 
                        // set the label itself and show the corresponding label node
                        var labelNode = null;
-                       if (label) {
+                       if (labelHTML) {
                                labelNode = this._getLabelNode();
-                               attr.set(labelNode, 'innerHTML', label);
+                               attr.set(labelNode, 'innerHTML', labelHTML);
                        }
                        this._hideNodes(labelNode);