Contributor slowdown indicates a patch may not be in the works
During web application testing, GoSecure’s security team found a vulnerability in the framework that could allow attackers to perform XSS attacks.
In a security advisory dated May 12, GoSecure’s Mohamed Aziz Acheche said that users relying on default HTML sanitization settings alone to filter out malicious input are at risk.
RELATED Google and Mozilla unveil plans to bake HTML sanitization into their browsers
XSS attack surface
By default, the HTML sanitizer will only tackle script elements during the sanitization process, and so attackers could choose a wide variety of other elements to bind, input malicious code, and launch an XSS attack.
As a result, users could be subject to problems including information leaks and the theft of session tokens.
“While this is still an existing issue in all default deployments of the Aurelia framework, users can easily override the insecure HTML sanitizer for a more secure alternative,” GoSecure says.
Read more of the latest security vulnerability news
The vulnerability has been reported to Aurelia’s development team. However, Acheche indicated that development has slowed down as of late, and so a fix or overhaul may not be forthcoming.
“The 2.0 version of its framework hasn’t been released and its biggest 1.x contributor is now working at Microsoft on fast so it remains to be seen what the future of the Aurelia framework [and its security] is,” he commented.
Defending the DOM
Since the discovery of the sanitization issue, Aurelia has updated its documentation on binding, warning users that the system is a “placeholder” for a more robust solution.
“It does NOT provide security against a wide variety of sophisticated XSS attacks, and should not be relied upon for sanitizing input from unknown sources,” the team says.
“You can replace the built-in sanitizer by registering your own implementation of HTMLSanitizer with the app at start-up.”
Aurelia recommends that users implement solutions such as sanitize-html or DOMPurify.
The Daily Swig has reached out to Aurelia and we will update when we hear back.