Listen to this Post
This vulnerability is a sanitizer bypass in configurations where the HTML `` tag is explicitly allowed. The sanitizer does not sanitize content within `` tags, as they are inert and not rendered under normal circumstances. However, two methods can force this content to execute. First, via mutation XSS exploiting the Chromium DOM parser’s node depth limit of 512. When nested within over 509 enclosing tags, the parser flattens the structure, effectively “popping” the <template>‘s inner malicious `` will attach a shadow root to the parent <div>, causing the <template>'s contents to be rendered and executed immediately, bypassing the sanitizer entirely.
Platform: HTML Sanitizer (.NET)
Version: <9.0.892, <9.1.893-beta
Vulnerability: Template Tag XSS
Severity: Medium
date: Not Publicly Disclosed
Prediction: Patched 2023-10-10
What Undercode Say:
dotnet list package HtmlSanitizer dotnet add package HtmlSanitizer --version 9.0.892
<!-- Depth Bypass Payload --> < div>[509+ more divs...]<template><img src=x onerror=alert(1)></template> <!-- Shadow DOM Bypass Payload --> < div><template shadowrootmode=open><script>alert(document.domain)</script></template>
How Exploit:
- Attacker submits crafted HTML containing a deeply nested `` tag with a script payload.
- Or, submits HTML using `` if the attribute is allowed.
- Victim's browser parses the payload, flattening the deep nodes or attaching a shadow root.
- The inert script within the `` becomes active and executes in the victim's context.
Protection from this CVE
- Update to HtmlSanitizer version 9.0.892 or later.
- Ensure `template` tag remains disallowed in sanitizer config (default).
- Do not add `shadowrootmode` to the AllowedAttributes list.
Impact:
Cross-Site Scripting (XSS)
Arbitrary Script Execution
Client-Side Security Bypass
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

