Vulnerability: Cross-Site Scripting (XSS) in Select Element Rendering

[OlegChuev]

Vulnerability: Cross-Site Scripting (XSS) in Select Element Rendering

The library is vulnerable to a Cross-Site Scripting (XSS) attack. If the content passed into a <select> element contains a malicious payload, it is rendered directly into the DOM without proper sanitization, leading to script execution.

Example Payload

<script>javascript:alert(1)</script>

Sample Input

<select>
  <option value="123">&lt;script&gt;javascript:alert(1)&lt;/script&gt;</option>
</select>

Resulting Rendered Output

<div class="nice-select" tabindex="0">
  <span class="current">
    <script>javascript:alert(1)</script>
  </span>
  <div class="nice-select-dropdown">
    <div class="nice-select-search-box">
      <input type="text" class="nice-select-search" placeholder="Search..." title="search">
    </div>
    <ul class="list">
      <li data-value="123" class="option selected null">
        <script>javascript:alert(1)</script>
      </li>
    </ul>
  </div>
</div>

Impact

This vulnerability allows attackers to inject and execute arbitrary JavaScript in the context of the user’s browser, which can lead to session hijacking, credential theft, and other malicious actions.

Recommendation

Ensure that all user-supplied content rendered into the DOM is properly escaped or sanitized. Avoid using innerHTML or similar unsafe DOM manipulation methods when rendering untrusted content.

[Tsjippy]

Thank you for your well-written feedback.

I have made a few changes, please give me more examples or a pr if not sufficient

[LuigiPulcini]

The fix to this vulnerability, contained in 2.4.1, breaks any legitimate use of HTML markup in the data-display attribute, which becomes totally useless.

If we want the data-display functionality to stay in place, it is not possible to avoid using innerHTML. A more appropriate solution, in this case, would be to remove any potentially malicious content from the data-display string before it is further assigned to DOM elements down the road. The best place to do this is inside the extractData() function, right before returning itemData inside the loop. A function like the one below should suffice and can be easily extended to include more exclusions or further sanitization if needed:

sanitizeHtml(html) {
  // Remove potentially malicious content from the text
  // while allowing innocuous HTML markup
  ['script', 'iframe', 'object', 'embed', 'applet'].forEach(tag => {
    html = html.trim().replace(new RegExp(`<${tag}[^>]*>([\\S\\s]*?)<\/${tag}>`, 'gim'), '').replace(new RegExp(`<\/?\\s*${tag}\\s*>`, 'gim'), '');
  });

  // remove any event attribute from tags
  html = html.replace(/ on\w+="[^"]*"/gim, '');

  return html;
}