Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Where you should disclose your vulnerabilities. Go read RFPolicy if you want to do responsible disclosure, and go here for when all else fails. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
stored XSS in YUI datatable
Posted by: landijk
Date: May 24, 2010 01:21PM

YUI is a Javascript widget library developed by Yahoo!. Their table widget, called DataTable, by default renders data as HTML fragments. The default formatter for rendering table cells is below:

____formatDefault : function(el, oRecord, oColumn, oData) {
______el.innerHTML = oData === undefined ||
__________oData === null ||
__________(typeof oData === 'number' && isNaN(oData)) ?
________" " : oData.toString();
____},

The function takes 4 parameters:

el -- the cell where data is to be written
oRecord -- the data "record"
oColumn -- the table column name
oData -- the actual data to be put in the cell

Note that all it does is set the cell's innerHTML. Hence obviously if the data source contains HTML markup strings, those will be rendered live. I'm calling this "stored XSS", even though some people might call vulnerabilities involving innerHTML "DOM injection" or something else. In any case, all the action is on the client side, and the data is coming from the server via XHR.

There are similar vulnerabilities in other YUI widgets.

My questions to the group:

1. How would you respond if the YUI people argued that it is up to the application developer to worry about XSS, and it is fine for the default formatter to be unsafe?

2. How should the safe implementation work (assuming you want to support arbitrary text strings)? Options are:

* use createTextNode
* use textContent/innerText
* use innerHTML, replacing <, >, and & with HTML entities
* something else?

I want to file a bug, but based on my experience with YUI developers so far, I think I'm going to run into a lot of pushback. It would be helpful if other people looked at this issue and chimed in. If people agree I should go ahead, I will cite this thread in the bug report. Thanks!

Options: ReplyQuote
Re: stored XSS in YUI datatable
Posted by: PaPPy
Date: May 24, 2010 04:24PM

if you rely on scripts and they are vulnerable it is on the server.
if you dont sanitize user inputs, in the first place, its on server.

if you not using noscript thats on the user

http://www.xssed.com/archive/author=PaPPy/

Options: ReplyQuote


Sorry, only registered users may post in this forum.