solid-js Lack of HTML Escaping in JSX Fragments Leading to Cross-Site Scripting Vulnerability

A cross-site scripting (XSS) vulnerability exists in solid-js versions prior to 1.9.4. The issue arises because Inserts/JSX expressions in illegal inlined JSX fragments were not properly escaped. This flaw allows user input to be rendered as HTML when directly inserted into JSX fragments. For example, a URL parameter could be crafted to include a script payload, which would then be executed when the fragment is rendered.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where an attacker can inject and execute malicious scripts in the context of the user's browser.

Reproduction

To reproduce this vulnerability, use solid-js version prior to 1.9.4 and create a component that includes an inlined JSX fragment. Insert a JSX expression that contains unescaped HTML, such as a script tag or an SVG with an event handler, into the fragment. When the component is rendered, the injected HTML will be executed, demonstrating the cross-site scripting vulnerability.

Remediation

Users are advised to upgrade to solid-js version 1.9.4 or later.