Web Client Cross Site Scripting (XSS) Issue

Discuss all problems you have with Servoy here. It might help to mention the Servoy version and Operating System version you are using

Web Client Cross Site Scripting (XSS) Issue

Postby mark.finlay » Fri Mar 18, 2022 11:35 am

Good morning,

We have noticed a Cross Site Scripting (XSS) issue in the "Web Client" using Servoy 2021.3.2.3644_LTS.

The "Security Setting" servoy.clientTrustDataAsHtml is in our instances is always set to: false. We want the XSS protection and generally it works great.

Most of the form components that support valuelists handle malicious scripts correctly according to the security setting above except the "textbox" and "typeahead" components. When focus is gained with these components and prior to the valuelist showing, the payload in the script executes.

To reproduce this issue create a valuelist with an entry with a script within it E.g. "xsstest<img/src=x onerror=alert(document.domain)>" . Then attach that valuelist to a textbox or typeahead component. Launch the "Web Client" and then click in the component.

For an example please see the attached pngs.

Would it be possible to get this fixed please as it is has been identified as a security issue during a recent penetration test?

Thanks,

Mark
Attachments
sample_wc_solution_textbox_with_vl_containing_script.png
Web Client - Textbox - Valuelist - XSS Issue - Example (1/2)
sample_wc_solution_textbox_with_vl_containing_script.png (47.44 KiB) Viewed 1951 times
sample_wc_solution_textbox_with_vl_containing_script2.png
Web Client - Textbox - Valuelist - XSS Issue - Example (2/2)
sample_wc_solution_textbox_with_vl_containing_script2.png (43.33 KiB) Viewed 1951 times
Asset Guardian Solutions Ltd
User avatar
mark.finlay
 
Posts: 12
Joined: Thu Jun 14, 2012 12:07 pm

Re: Web Client Cross Site Scripting (XSS) Issue

Postby jcompagner » Fri Mar 18, 2022 12:07 pm

can you create a case for this in our support system
Johan Compagner
Servoy
User avatar
jcompagner
 
Posts: 8829
Joined: Tue May 27, 2003 7:26 pm
Location: The Internet

Re: Web Client Cross Site Scripting (XSS) Issue

Postby mark.finlay » Fri Mar 18, 2022 1:24 pm

Hi Johan,

Thanks for getting back to me so quickly.

I have now raised a case for this issue (SVY-16979).

Thanks,

Mark
Asset Guardian Solutions Ltd
User avatar
mark.finlay
 
Posts: 12
Joined: Thu Jun 14, 2012 12:07 pm


Return to Discuss possible Issues and Bugs

Who is online

Users browsing this forum: No registered users and 7 guests