- Home
- Forum
- Angular - EJ 2
- cross-site scripting
cross-site scripting
Hi,
Attachment: xss_attack_6a4e80c4.7z
I'm testing the treeview component according to cross site scripting.
And when we init a tree with items which contains dom element in text property (like this : text: '<img src="fail" onerror="alert();" /> my node'), the text is not encoded, it is interpreted (so we see the javascript alert), and this is a security failure.
When we edit an item (and put the same value with the fake img tag) there is no problem.
Is there a way to have the same behavior like edit action on tree initialisation ?
thanks
And when we init a tree with items which contains dom element in text property (like this : text: '<img src="fail" onerror="alert();" /> my node'), the text is not encoded, it is interpreted (so we see the javascript alert), and this is a security failure.
When we edit an item (and put the same value with the fake img tag) there is no problem.
Is there a way to have the same behavior like edit action on tree initialisation ?
And I have same issue on components: Tabbar (for tab text, accordions)
thanks
Attachment: xss_attack_6a4e80c4.7z
SIGN IN To post a reply.
7 Replies
SP
Sowmiya Padmanaban
Syncfusion Team
April 3, 2020 02:23 PM UTC
Hi Rebecchi,
Greetings from Syncfusion support.
Query 1- TreeView component.
We have checked your attached screenshot and able to reproduce the issue in TreeView component. We have consider this as a bug from our end. It will be included in our April’s third weekly release.
Track the below link for bug status.
Query 2 – Tab and accordion component.
We are currently validating this requirement with high priority. We will update the further validation details in one business day on 6th April 2020.
We appreciate your patience, until then.
Regards,
Sowmiya.P
SA
Shameer Ali Baig Sulaiman Ali Baig
Syncfusion Team
April 23, 2020 01:30 PM UTC
Hi Rebecchi,
Thanks for your patience.
We have fixed the issue with enableHtmlSanitizer property (enablehtmlsanitizer-property-is-not-working-properly). We have added the fix for your reported issue in the following attached ej-lists npm package. Please, replace that package in your application in the node_modules(node_modules>@syncfusion>ej2-lists) to resolve your reported issue with EJ2 Angular TreeView component.
ej2-lists npm package: https://www.syncfusion.com/downloads/support/forum/152966/ze/ej2-lists-18.1.45-295289468
We have prepared a sample for your reference, please extract the sample and install node_modules by running npm install in root path. After successfully installing the node_modules, please replace the ej2-lists package inside @syncfusion folder with the above shared custom patch. Then, run the application to check the fix for your problem with TreeView.
We will include this fix in our next weekly release which is expected to be rolled out in the fourth week of April 2020.
Please, let us know if you need any further assistance.
Regards,
Shameer Ali Baig S.
RE
Rebecchi
April 23, 2020 02:30 PM UTC
Hi
thanks for the fix, but I think there is something wrong in it :
My node text : '<img src="sss" onerror="alert()" /> Music'
Now there is no alert anymore : that's ok, but... In the browser console, there is an error : GET http://xxx:4200/sss 404 not found
In the tree component, my text node is not <img src="sss" onerror="alert()" /> Music but <img src="sss"> Music.
I think there is something wrong, it's better but not totaly corrected.
regards
SP
Sowmiya Padmanaban
Syncfusion Team
April 24, 2020 01:12 PM UTC
Hi Rebecchi,
We have validated your reported issue. We have consider this as a bug from our end. It will include in our next patch release which is expected to be released at the end of April 2020 . We will update you the sample once the fix is included.
We appreciate your patience, until then.
Regards,
Sowmiya.P
SA
Shameer Ali Baig Sulaiman Ali Baig
Syncfusion Team
April 29, 2020 04:23 PM UTC
Hi Rebecchi,
Sorry for the inconvenience.
Due to some technical complexities, we are unable to include this fix in these week’s weekly patch release. We are working on this issue fix with high priority.
Fix for this issue will be included in Volume 1 SP release which is expected to be rolled out in mid of May 2020.
We will appreciate your patience till then.
Regards,
Shameer Ali Baig S.
SP
Sowmiya Padmanaban
Syncfusion Team
May 14, 2020 08:18 AM UTC
Hi Rebecchi,
We regret for the inconvenience.
We were unable to include this fix in Volume 1 SP release due to some technical reasons. But, we have fixed this issue and it is under testing phase to ensure the stability of this fix with all functionalities of the component. We include this fix in our next weekly patch release.
We appreciate your patience, until then.
Regards,
Sowmiya.P
SP
Sowmiya Padmanaban
Syncfusion Team
May 22, 2020 05:22 PM UTC
Hi Rebecchi,
We are glad to announce that our patch release is rolled out successfully(v18.1.53). In this release, we have included a fix for “404 error in TreeView component”.
To access this, we suggest you to update the package(ej2-angular-navigations) to the latest version (v18.1.53).
When you set the nodeText as <img src="sss" onerror="alert()" /> , it removes the unwanted code and convert the text into a string and display it in TreeView component.
Refer the sample link below.
We thank you for your support and appreciate your patience in waiting for this release. Please get in touch with us if you would require any further assistance.
Regards,
Sowmiya. P
SIGN IN To post a reply.
- 7 Replies
- 3 Participants
-
RE Rebecchi
- Apr 2, 2020 02:28 PM UTC
- May 22, 2020 05:22 PM UTC
