Multifield Search - Cross Site Scripting Concern

[MigMag2324]

While conducting some security tests on my application, I noticed that I was able to perform Cross Site Scripting attacks through the Multifield search widget. With HTML as an example, users are able to insert and execute potentially malicious code by simply typing in the code snippet as a search query and hitting the Enter key.

Attached are screenshots depicting a demonstration of this issue using an HTML image tag. The tag has an intentionally undefined source attribute, with the onerror attribute causing a prompt to appear in the web browser. Upon hitting the Enter key, the tag snippet was executed, and the prompt window appeared.

A potential solution could be something like implementing an event handler within the Multifield search, with the search string as an argument passed into a function that could utilize something like the "XSSSanitize" action from the Community Commons module. Alternatively, integrating code scrubbing within the Multifield widget could also be done, removing the need for the users to handle this security patch on their own terms.

The present concern is that at this time any hostile actor could go in and execute malicious code that could wreak havoc on applications, and while this could be handled on an app-by-app basis with custom remediation, this poses a risk to numerous Mendix applications that utilize this widget. Any solutions that could help remediate this issue would be greatly appreciated. Thank you!

[tieniber]

Firstly, I agree we should sanitize the input here. But is this really a vulnerability? The multi-field search box can't be pre-populated in any way, so a malicious party doesn't have any way to execute code on someone's machine unwillingly. The user would have to actually type/paste JS code into the search box. Anybody can execute JS code on their own browser using the browser's dev tools anyway.

[MigMag2324]

Thank you so much for your reply. I completely agree on that notion, that the search box cannot be pre-populated, so there is no way for remote code execution. However, the concern is that one of our users could be accidentally tricked into inserting a malicious code snippet into the search bar. While the chance of that happening is low, it still exists, and that is why we consider it a vulnerability, granted a low-risk vulnerability. Sanitizing the input would provide a safeguard in the event that a user is in fact tricked or exploited, and would ensure that no matter what happens, the application at least has one more layer of protection.

Would implementing a library within the code itself that handles the sanitization be the best way to approach this? Or could something like creating an event handler in the app configuration that runs a microflow that sanitizes using something like the Nanoflow Commons module work better? Thank you so much again for your input.