HTML-escaping of xss payload in User prefix field

[hunterale]

📊 Metadata *

Bounty URL: https://www.huntr.dev/bounties/1-other-openfire-userCreation-plugin/

⚙️ Description *

In the page to create and view a new created user, the (dangerous) characters of the prefix field that can cause an XSS are transformed in a way the are not dangerous any more

💻 Technical Description *

The XSS payload was insertend in the html template without escaping the dangerous characters. The fix is the followings: in the apache.commons.text (already present in the pom of the project) there is a the method that HTML-escapes dangerous characters; using the method to render in a safe way the prefix field of the form in the html page the the payload doesn't work any more

🐛 Proof of Concept (PoC) *

The video shows how the payload triggers the XSS after user creation. The version of the plugin is the one on the marketplace

xss_userCreation_plugin.mp4

🔥 Proof of Fix (PoF) *

The video shows that the payload doesn't trigger XSS anymore thantk to escaping some characters. The version of the plugin is 1.4.1-SNAPSHOT.

fixed_xss_userCreation_plugin.mp4

👍 User Acceptance Testing (UAT)

After the fix, the page is still working correctly as before the fix and the XSS is not triggered anymore

[JamieSlome]

👋 Hello, @akrherz - @hunterale has opened a PR to us with a fix for a potential vulnerability in your repository. To view the vulnerability, please refer to the bounty URL in the first comment, above.

Ultimately, you get to decide if the fix is 👍 or 👎. If you are happy with the fix, please write a new comment (@huntr-helper - LGTM) and we will open a PR to your repository with the fix. All remaining PRs for this vulnerability will be automatically closed.

If you have any questions or need support, come and join us on our community Discord!

@akrherz & @hunterale - thank you for your efforts in securing the world’s open source code! 🎉