а

[DHTMLX-3.5]Tree - _stopEdit function - XSS Injection


#1

Hello,

My company is using the Enterprise version of DHTMLX. Our problem is located in the 3.5 version of the Tree Component.
While renaming an object in a Tree with a specific string (“foo”) for example, I am able to perform a reflected XSS attack, in a weird way.
In fact, the payload induced will be interpreted when the entity is being renamed, and will stop being interpreted if i reload the tree (i.e. changing back and forth from the combobox attached).
Thus being said, after some investigation, i wasn’t able to correct this by only modifying our code. Indeed, the _stopEdit function of the DHTMLX component is setting the span innerHTML with the raw value of the object (i.e. the payload induced), which bypass any correction I can perform before or after the event.
The line I have been able to identify is the following one:

this._editCell.span.innerHTML = editText; 

I have been able to correct this flaw by overloading the DHTMLX component’s function by encoding the editText value.
We have tried the newest version in date and the flaw seems to be there too.
Is there a proper way to avoid this flaw (a module to purchase or a known solution, …)?

In a general way, it seems that DHTMLX components are not WYSIWYG, and this can lead to XSS Injection since inputs are interpreted. Is there a general way to avoid this flaw?

Thanks for your time.


#2

dhtmlxConnector has the security protection so it avoids the html/js code usage in the component data for the server safety.
Here you can find a tutorial:
docs.dhtmlx.com/connector__php_ … urity.html


#3

Hello,

First, thanks for your reply.
As far as I understand, the solution you are providing is working with databases. My problem here seems different (for the Tree flaw).
Indeed, my problem occurs when I edit an object’s name in the DHTMLX Tree.
The value is sent to the server (and stored as is, which is intended), and the DHTMLX Tree component, through the _stopEdit method, is taking the input value to refresh the object in the tree (not the value from the database). This value is not encoded and so, interpreted.
When I reload a Tree containing objects, it is display as-is.
This means that if I name an object TestObjectName, after the edition, the object’s name will be TestObjectName (which come from the _stopEdit function). When I want to reload the Tree, fed with database value this time, the object’s name will be TestObjectName, as expected.
As I detailled before, the flaw occurs only when editing.

My application needs is to store, unencoded, all the user inputs. Which means I have to encode before displaying any data sent by the server.
Also, i must precise that i can’t interact with the database using C# and .NET, since my application is sending datas to a Delphi API, which itself communicate with the database.
Thus what I need is a solution (if it exists) to stop the _stopEdit flaw to occur. It nothing can be done without modifying your source code, then this post is made to inform you of such flaw in your components.
I hope I clarified this problem.

Thanks for your time


#4

I understand. Thank you for your note.
You’re right, there is no any xss filtration on the client-side itself, for the reason that before coming to the server-side this data cannot injure.