Uikit: XSS vulnerability in Modal and Notification
UIkit version
3.0.0-rc.19
Browser
Chrome 69.0.3497.100
Reproduction Link
Copy-paste: "><img/src=x onerror=alert(document.domain)> to the input field and press button.
https://codepen.io/anon/pen/Jmaqop
Steps to reproduce
Open link and copy-paste above text.
What is Expected?
Not getting an alert message.
What is actually happening?
Getting an alert message.
Comments on bug
Since <script>alert()</script> is not being evaluated, some kind of xss protection is there. But it's apparently not that good.
I had to import https://github.com/leizongmin/js-xss and strip all my notifications and modals, but in my opinion this should be handled by UIkit.
peturh
All 3 comments
This comment was made a long time ago by a contributer: https://github.com/uikit/uikit/issues/2077#issuecomment-273718490
In my opinion, he is wrong.
peturh
on 23 Oct 2018
I don't think this is UIkit's responsibility. Custom HTML is allowed inside the notification message.
All input should be sanitized by the developer.
drmzio
on 4 Jan 2019
I have created a PR to at least put a warning into documentation, but in the age of safe-by-default frameworks, having modal and notification accept any html does not seem like a good idea. Unfortunately, fixing it would be a breaking change.
Tasssadar
on 7 Aug 2019
Related issues
evdama
路
3Comments
doublex
路
3Comments
kirlat
路
3Comments
AntoninJarolim
路
3Comments
thibaultmeyer
路
3Comments
Most helpful comment
I have created a PR to at least put a warning into documentation, but in the age of safe-by-default frameworks, having modal and notification accept any html does not seem like a good idea. Unfortunately, fixing it would be a breaking change.