Bootstrap Tables XSS vulnerability with Table Export plug-in when exportOptions: htmlContent is true in wenzhixin/bootstrap-table
Reported on
Apr 7th 2022
Description
Hello and thank you for the wonderful library! We use it extensively in our app. However, I think we've identified an XSS vulnerability in the Export plug-in.
If you set the exportOptions in your Bootstrap Table to true
, then you can force arbitrary Javascript to execute (see the attached PoC). The problem is actually in the jQuery Table Export plug-in, and I've reported it to them as well. But I figure you might also want to fix it here, just in case.
I think the problem can be worked-around by using a corrected onCellHtmlData callback method - which it looks like the library is already attempting to do. However, as evidenced by the vuln, I think for some reason that callback isn't getting executed, and the default onCellHtmlData callback is firing instead, and that default implementation does appear to be vulnerable.
Proof of Concept
https://live.bootstrap-table.com/code/uberbrady/11033
Impact
Disclosing session cookies, disclosing secure session data, exfiltrating data to third-parties.
Occurrences
bootstrap-table-export.js L27
I suspect that this line isn't creating an element whose value is the enclosed callback? Or perhaps tree-shaking is removing the function? Or maybe 'uglification' is renaming the element? Either way, this method doesn't seem to be firing. In my own code, when I pass along the onCellHtmlData callback with this function, it does seem to negate the XSS vulnerability.