0

I have a class named eHelpDhtm.js, when I am scanning my whole project through checkmark, I am able to see vulnerability related to DOM XSS attack.

I am getting below DOM XSS attack issue:

Method PopupMenu_InvokeReady of User Guide\Help\eHelpDhtm.js gets user input for the location element. This element’s value then flows through client-side code without being properly sanitized or validated and is eventually displayed to the user in PopupMenu_InvokeReady of User Guide\Help\eHlpDhtm.js.This may enable a DOM XSS attack.

The faulty line in the below method is 

gbWndPopupLinks.document.write("<base href=\"" + location +"\">");

Below is the code:

function PopupMenu_InvokeReady()
{
    if (gbWndPopupLinks != null) {
        gbWndPopupLinks.document.open("text/html");
    gbWndPopupLinks.document.write("<html><head>");
    if (gbBsNS2) {
        gbWndPopupLinks.document.write("<base href=\"" + location +"\">");
    } else {
        gbWndPopupLinks.document.write("<");
        gbWndPopupLinks.document.write("script>");
        gbWndPopupLinks.document.write("function gotoUrl(aUrl) {opener.window.location=aUrl; close();}");
        gbWndPopupLinks.document.write("<");
        gbWndPopupLinks.document.write("/script>");
    }

    // Close the temporary
    if (!gbBsNS3 && gbWndTemp != null) {
        gbWndTemp.close();
    }else {
        gbWndPopupLinks.focus();
    }

    return true;
}
return false;
}

Can anyone help me to sanitize it properly ?

Ahmed Heasat
  • 256
  • 1
  • 6
  • 22
ANKIT RAMAN
  • 1
  • 6

1 Answers1

0

I donkt know if this will work with Base attr but in console destination string is escaped properly. Add this function to Your code

function escapeOutput(toOutput){
    return toOutput.replace(/\&/g, '&amp;')
        .replace(/\</g, '&lt;')
        .replace(/\>/g, '&gt;')
        .replace(/\"/g, '&quot;')
        .replace(/\'/g, '&#x27')
        .replace(/\//g, '&#x2F');
}

And then use it in Your code :

gbWndPopupLinks.document.write("<base href=\"" +location.replace(/\&/g, '&amp;').replace(/\</g, '&lt;').replace(/\>/g, '&gt;').replace(/\"/g, '&quot;').replace(/\'/g, '&#x27').replace(/\//g, '&#x2F') +"\">");

Or

gbWndPopupLinks.document.write("<base href=\"" + escapeOutput(location) +"\">");

Live example

You can read about security on Open Web Application Security Project :

OWASP

OWASP/xss

Jakub Ujvvary
  • 421
  • 4
  • 13