DITA Webhelp output has XSS Vulnerability

[mstrubberg]

While testing for XSS vulnerabilty on Webhelp output, If a string such as <img src=asdf onerror=alert (1)> is typed in the Search field, it invokes a new java window in the html with an alert icon and the number 1 under IE and chrome.

Does Oxygen have XSS filters already imbedded or do we have to add XSS filters to prevent code strings entered in the search field to render no results and not allow the string to act on any user script entered?

[sorin_ristache]

Hello,

I cannot reproduce the alert box. Please post here the full error message, or better post a screenshot with the alert message.

The JavaScript code of the Webhelp search does not evaluate or process the user input text. It just splits the input text into substrings delimited by space, comma, colon, etc. for finding the words. So it should pose no XSS threats.


Thank you,
Sorin

[mstrubberg]

http://imageshack.us/photo/my-images/83 ... search.gif

[sorin_ristache]

Hi,

Thank you, now we get the alert box. We already fixed the problem and we will include the fix in the next maintenance build of Oxygen 14.2 (the current version) and obviously in the next version of Oxygen (15.0). If you are subscribed to the RSS feed of maintenance builds you will be notified about the new build.


Regards,
Sorin

[mstrubberg]

Here is the same issue under IE

http://imageshack.us/photo/my-images/83 ... winie.gif/

[mstrubberg]

Thanks Sorin, Please post on this message when the fix is available for 14.2 and where it can be downloaded from.

Regards,

[sorin_ristache]

Hi,

I just sent you by email a patched file that fixes the problem by replacing the original Oxygen 14.2 with the same name. Please let us know if the file does not fix the alert box problem. Of course this fix will be included in both the next maintenance release of Oxygen 14.2 and the next version of Oxygen (15.0).


Regards,
Sorin

[mstrubberg]

Sorin, Could you please resend, I did not receive the file.

[sorin_ristache]

Hello,

I sent the file again by email. Please let us know if you did not receive the file.


Regards,
Sorin

[mstrubberg]

Sorin,

I still did not receive the files:

Please email the files to my email address:

ramona_strubberg@mastercard.com

[sorin_ristache]

Hello Mona,

I sent the file called nwSearchFnt.js again to the email address: ramona_strubberg@mastercard.com. Did you receive an email from the address support@oxygenxml.com? I did not receive any automatic undelivered/error notification for any email that I sent to a @mastercard.com address so I think the message was delivered to the address: ramona_strubberg@mastercard.com

If you did not receive the file you can download it in archived (zipped) form from here.


Regards,
Sorin

[mstrubberg]

Sorin,

I was only able to get the updated file from the .zip you included with the last reply. We are testing it now in 14.2.

Can you also provide this XSS filter in a search java file for Oxygen 13.2?

If you can, please submit the file as part of the reply.

For some reason I am not getting any of the emails you have sent to my addresses (not in junk or spam folders either).

[sorin_ristache]

Hello,

You can download the modified file for Oxygen 13.2 from here. Please unzip the nwSearchFnt-13.2.zip file and overwrite the file: [Oxygen-13.2-install-dir]\frameworks\dita\DITA-OT\plugins\webhelp\resources\search\nwSearchFnt.js.


Regards,
Sorin

[ionela]

Hello,

I just wanted to let you know that this problem has been resolved in the latest maintenance build of Oxygen 14.2, 2013030817 (released on March 12th):

WebHelp: Avoid interpretation of HTML tags inserted in the search field.

You can download it from our web site:
http://www.oxygenxml.com/download.html

The list of bug-fixes can be found here:
http://www.oxygenxml.com/build_history.html#2013030817

You can follow the release/build RSS feed here:
http://www.oxygenxml.com/rssBuildID.xml

Let us know if you encounter further problems with this new build.

Regards,
Ionela