My company is using the Enterprise version of DHTMLX. Our problem is located in the 3.5 version of the Tree Component.
While renaming an object in a Tree with a specific string (“foo”) for example, I am able to perform a reflected XSS attack, in a weird way.
In fact, the payload induced will be interpreted when the entity is being renamed, and will stop being interpreted if i reload the tree (i.e. changing back and forth from the combobox attached).
Thus being said, after some investigation, i wasn’t able to correct this by only modifying our code. Indeed, the _stopEdit function of the DHTMLX component is setting the span innerHTML with the raw value of the object (i.e. the payload induced), which bypass any correction I can perform before or after the event.
The line I have been able to identify is the following one:
this._editCell.span.innerHTML = editText;
I have been able to correct this flaw by overloading the DHTMLX component’s function by encoding the editText value.
We have tried the newest version in date and the flaw seems to be there too.
Is there a proper way to avoid this flaw (a module to purchase or a known solution, …)?
In a general way, it seems that DHTMLX components are not WYSIWYG, and this can lead to XSS Injection since inputs are interpreted. Is there a general way to avoid this flaw?
Thanks for your time.