You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
See additional considerations below for an example of how an exploit could be crafted if the cod-icon were used in a peculiar way.
Solutions:
(Short-term) Don't ever let data-size attribute value flow into the svg template string.
(Long-term) Create the SVG elements using JS DOM APIs instead of directly setting innerHTML
Additional Considerations
Given the way Icon.js is written, an XSS is extremely unlikely though can't be ruled out entirely.
Consider lines 16-38 and lines 50-52 of Icon.js. The only possibility of DOM based XSS would be if someone using the cod-icon component allowed user-input to flow into the data-size attribute of cod-icon in which case it would be passed through to the template string for the icon <svg/> (lines 50-52). Even then, the user-input would have to use some escaping technique to break from the SVG and execute arbitrary code. Something like data-size="\"</svg><img src='404' onerror='alert('malicious code')'>".
The text was updated successfully, but these errors were encountered:
Describe the bug
https://github.com/CityOfDetroit/COD-Design-System/security/code-scanning/246
See additional considerations below for an example of how an exploit could be crafted if the
cod-icon
were used in a peculiar way.Solutions:
data-size
attribute value flow into thesvg
template string.innerHTML
Additional Considerations
Given the way
Icon.js
is written, an XSS is extremely unlikely though can't be ruled out entirely.Consider lines 16-38 and lines 50-52 of
Icon.js
. The only possibility of DOM based XSS would be if someone using thecod-icon
component allowed user-input to flow into thedata-size
attribute ofcod-icon
in which case it would be passed through to the template string for the icon<svg/>
(lines 50-52). Even then, the user-input would have to use some escaping technique to break from the SVG and execute arbitrary code. Something likedata-size="\"</svg><img src='404' onerror='alert('malicious code')'>"
.The text was updated successfully, but these errors were encountered: