ExtJS 7.1 Tag field is executing XSS tag

Question

I am having an issue regarding the tagfield component when entering <img src=a onerror=alert('xss!')>. This tag is being executed after entering the whole value. I've tried preventing the tag execution on keyup, keypress, keydown, and beforequery events and it still executing. This block of code prevent the event from executing when it detects an XSS tag.

    Ext.application({
    name: 'Fiddle',

    launch: function () {

        var shows = Ext.create('Ext.data.Store', {
            fields: ['id', 'show'],
            data: []
        });

        Ext.create('Ext.form.Panel', {
            renderTo: Ext.getBody(),
            title: 'Sci-Fi Television',
            height: 200,
            width: 500,
            items: [{
                xtype: 'tagfield',
                itemId: 'tagField',
                fieldLabel: 'Select a Show',
                store: shows,
                displayField: 'show',
                valueField: 'id',
                queryMode: 'local',
                filterPickList: false,
                listeners: {
                    beforequery: function () {
                        var editor = Ext.ComponentQuery.query('#tagField')[0];
                        if (editor.inputEl.getValue().search(new RegExp('(<([^>]+)>)')) >= 0) {
                            editor.inputEl.dom.value = '';
                            return false;
                        }
                    },
                    keypress: function (textfield, event) {
                        var editor = Ext.ComponentQuery.query('#tagField')[0];
                        if (editor.inputEl.getValue().search(new RegExp('(<([^>]+)>)')) >= 0) {
                            editor.inputEl.dom.value = '';
                            return false;
                        }
                    },
                    keydown: function (textfield, event) {
                        var editor = Ext.ComponentQuery.query('#tagField')[0];
                        if (editor.inputEl.getValue().search(new RegExp('(<([^>]+)>)')) >= 0) {
                            editor.inputEl.dom.value = '';
                            return false;
                        }
                    },
                }
            }]
        });

    }
});

enter image description here

Are you trying to foil a xss injection? Would you be able to fork this fiddle to show what you are trying to do? https://fiddle.sencha.com/#view/editor&fiddle/39n9 — mcg1103, Oct 16 '20 at 11:49
@mcg1103 Yes, I'm trying to prevent an xss injection. I've updated the code snippet that I've tried. I'm also currently trying to create a regex to ignore the html tags on input. — FEDeveloper, Oct 16 '20 at 12:37
To get the keyevents to fire you have to set enableKeyEvents to true. https://fiddle.sencha.com/#view/editor&fiddle/39nh Do you have an example of an xss injection that we can use as a test? — mcg1103, Oct 16 '20 at 13:44
@mcg1103 This is the xss tag I'm trying to use . I'm also using the 7.1 version of extjs. — FEDeveloper, Oct 16 '20 at 14:33
Oh Ok. sorry I missed that from the original post. I did not know anything about this type of attack prior to your post, but good to know! You are using the classic tool kit, correct? — mcg1103, Oct 16 '20 at 17:04

score 1 · Accepted Answer · answered Oct 20 '20 at 04:13

This took a little while to hunt down, but apparently in Ext.form.field.ComboBox, there's an onFieldMutation handler that really is the key to all of this. Take a look at this Fiddle and the code that takes care of handling this... I believe this is what you're looking for:

Ext.define('ComboOverride', {
  override: 'Ext.form.field.ComboBox',

  onFieldMutation: function (e) {
    var inputDom = this.inputEl.dom;
    if (Ext.String.hasHtmlCharacters(inputDom.value)) {
      inputDom.value = '';
      alert('XSS Detected, Removing');
    }
    return this.callParent(arguments);
  }
});

Cool, I think this answer is a very helpful one. I'll try if I could use this. I actually had a workaround on this by detecting the input value has greater than, less than, onerror, or src. Its actually a special case that only this tag, , is being executed while other tags can be encoded on the display after accepting the value. Anyway, this answer is very helpful. @incutonez — FEDeveloper, Oct 20 '20 at 12:32

ExtJS 7.1 Tag field is executing XSS tag

1 Answers1