Description

Reflected XSS with filter bypass on /demo/module/ using module= & style= parameters.

Proof of Concept

https://demo.microweber.org/demo/module/?module='ont<a>ransitionend=alert(1)'"tabindex=1&style=transition:outline%200.001s&id=x&data-show-ui=admin&class=x&from_url=https://demo.microweber.org

Press tab for the alert() to show up.

Okay 3 things to unpack here:

• " and ’ at various places allow breaking out of the html (root cause of the XSS)
• ont<x>ransitionend gets sanitized to ontransitionend and bypasses the xss filter
• style=“transition:outline 1s” tabindex=1 is the setup you need to trigger a transition without a <style> tag

Took me some time to finally find a XSS payload that runs here :)

I’d suggest you do not allow breaking out of the html here, so filter ’ & ". ont<x>ansitionend should be examined, this trick doesn’t work in every parameter. Additionally, some js eventhandlers are allowed e.g. onunhandledrejection, you could think about a on.*= regex.