Sanitizing global string attributes – necessary or not?

Here is a DOM-based XSS flaw reported by SalesForce Security Review team in our code:

RootComponent

<aura:component extensible="true" abstract="true" access="global"
                description="Root template component">

   <!-- ... lot of other code ... -->

   <aura:attribute name="label" 
                   type="String" 
                   access="global" 
                   description="Label of the form input element" />

   <!-- ... lot of other code ... -->

</aura:component>

SubComponent

<aura:component access="global" extends="c:RootComponent" 
                description="Child extension of RootComponent">

   <!-- ... lot of other code ... -->

   <label>{!v.label}</label>

   <!-- ... lot of other code -->

</aura:component>

According to SFDC, “any app can extend SubComponent component and pass in as a label and trigger a DOM-based XSS attack.”
The solution would be to “sanitize” label global attribute to avoid such attack. What is meant by sanitization of global attribute?

I tried to reproduce the so-called security flaw , but as label attribute is of type “String” , when we send it HTML, it is displayed as a string, not as interpreted HTML … so I don’t see where the security flaw could be :/

<aura:application >
    <aura:handler name="init" value="{!this}" action="{!c.doInit}" />

    <c:SubComponent aura:id="TestXSS" label="DOM-based XSS attacks" />

</aura:application >

JS Controller

({
    doInit: function(component, event, helper) {
        var XssAttack = '<img src=x onerror=alert(1) />';
       component.find('TestXSS').set('v.label',XssAttack);
    }
})

Output

Output: HTML is not interpreted

We have global attributes everywhere. Our components are packaged and meant to be extended by client implementation. Do we actually need to sanitize them?

Answer

If this is really a label as you describe, then this is a false positive. However you may have left something out of your description. If you could please send me a message with the details of the issue — it’s enough to get the name of the App if this is for the review — then I can look into it.

Attribution
Source : Link , Question Author : Nicolas Vuillamy , Answer Author : Robert Sussland

Leave a Comment