Contributor slowdown indicates a patch may not be in the works

Aurelia framework default HTML sanitizer opens the door to XSS attacks

Default HTML sanitizer settings implemented in the Aurelia JavaScript framework leave users vulnerable to cross-site scripting (XSS) attacks, researchers have warned.

Aurelia is an “unobtrusive” client framework for the creation of components in JavaScript or TypeScript.

The developers described the open source project as a “collection of modern JavaScript modules, which when used together, function as a powerful platform for building browser, desktop and mobile applications, all open source and built on open web standards”.

Malicious input

During web application testing, GoSecure’s security team found a vulnerability in the framework that could allow attackers to perform XSS attacks.

In a security advisory dated May 12, GoSecure’s Mohamed Aziz Acheche said that users relying on default HTML sanitization settings alone to filter out malicious input are at risk.

RELATED Google and Mozilla unveil plans to bake HTML sanitization into their browsers

According to the team, it is possible to data-bind HTML attributes or elements content to JavaScript expressions when you use the framework.

XSS attack surface

By default, the HTML sanitizer will only tackle script elements during the sanitization process, and so attackers could choose a wide variety of other elements to bind, input malicious code, and launch an XSS attack.

As a result, users could be subject to problems including information leaks and the theft of session tokens.

“While this is still an existing issue in all default deployments of the Aurelia framework, users can easily override the insecure HTML sanitizer for a more secure alternative,” GoSecure says.

Read more of the latest security vulnerability news

The vulnerability has been reported to Aurelia’s development team. However, Acheche indicated that development has slowed down as of late, and so a fix or overhaul may not be forthcoming.

“The 2.0 version of its framework hasn’t been released and its biggest 1.x contributor is now working at Microsoft on fast so it remains to be seen what the future of the Aurelia framework [and its security] is,” he commented.

Defending the DOM

Since the discovery of the sanitization issue, Aurelia has updated its documentation on binding, warning users that the system is a “placeholder” for a more robust solution.

“It does NOT provide security against a wide variety of sophisticated XSS attacks, and should not be relied upon for sanitizing input from unknown sources,” the team says.

“You can replace the built-in sanitizer by registering your own implementation of HTMLSanitizer with the app at start-up.”

Aurelia recommends that users implement solutions such as sanitize-html or DOMPurify.

The Daily Swig has reached out to Aurelia and we will update when we hear back.

RECOMMENDED XSS in the wild: JavaScript-stuffed orders used to compromise Japanese e-commerce sites