Headline
GHSA-x77j-w7wf-fjmw: Nunjucks autoescape bypass leads to cross site scripting
Impact
In Nunjucks versions prior to version 3.2.4, it was possible to bypass the restrictions which are provided by the autoescape functionality. If there are two user-controlled parameters on the same line used in the views, it was possible to inject cross site scripting payloads using the backslash \ character.
Example
If the user-controlled parameters were used in the views similar to the following:
<script>
let testObject = { lang: '{{ lang }}', place: '{{ place }}' };
</script>
It is possible to inject XSS payload using the below parameters:
https://<application-url>/?lang=jp\&place=};alert(document.domain)//
Patches
The issue was patched in version 3.2.4.
References
- https://bugzilla.mozilla.org/show_bug.cgi?id=1825980
Impact
In Nunjucks versions prior to version 3.2.4, it was possible to bypass the restrictions which are provided by the autoescape functionality. If there are two user-controlled parameters on the same line used in the views, it was possible to inject cross site scripting payloads using the backslash \ character.
Example
If the user-controlled parameters were used in the views similar to the following:
<script>
let testObject = { lang: '{{ lang }}', place: '{{ place }}' };
</script>
It is possible to inject XSS payload using the below parameters:
https://<application-url>/?lang=jp\&place=};alert(document.domain)//
Patches
The issue was patched in version 3.2.4.
References
- https://bugzilla.mozilla.org/show_bug.cgi?id=1825980
References
- GHSA-x77j-w7wf-fjmw
- mozilla/nunjucks#1437
- mozilla/nunjucks@ec16d21
- https://bugzilla.mozilla.org/show_bug.cgi?id=1825980
- https://github.com/mozilla/nunjucks/releases/tag/v3.2.4