Bootstrap Tables XSS vulnerability with Table Export plug-in when exportOptions: htmlContent is true in wenzhixin/bootstrap-table
Reported on
Apr 7th 2022
Description
Hello and thank you for the wonderful library! We use it extensively in our app. However, I think we've identified an XSS vulnerability in the Export plug-in.
If you set the exportOptions in your Bootstrap Table to true, then you can force arbitrary Javascript to execute (see the attached PoC). The problem is actually in the jQuery Table Export plug-in, and I've reported it to them as well. But I figure you might also want to fix it here, just in case.
I think the problem can be worked-around by using a corrected onCellHtmlData callback method - which it looks like the library is already attempting to do. However, as evidenced by the vuln, I think for some reason that callback isn't getting executed, and the default onCellHtmlData callback is firing instead, and that default implementation does appear to be vulnerable.
Proof of Concept
https://live.bootstrap-table.com/code/uberbrady/11033
Impact
Disclosing session cookies, disclosing secure session data, exfiltrating data to third-parties.
Occurrences
bootstrap-table-export.js L27
I suspect that this line isn't creating an element whose value is the enclosed callback? Or perhaps tree-shaking is removing the function? Or maybe 'uglification' is renaming the element? Either way, this method doesn't seem to be firing. In my own code, when I pass along the onCellHtmlData callback with this function, it does seem to negate the XSS vulnerability.
