NiceGUI Cross-Site Scripting Vulnerability in HTML Rendering

A Cross-Site Scripting (XSS) vulnerability exists in NiceGUI, a Python UI framework, in versions prior to 3.0.0. The issue arises when developers use 'ui.html()' or 'ui.chat_message()' with unescaped user input, as the framework does not automatically sanitize HTML or JavaScript. This oversight can lead to the execution of arbitrary JavaScript in the user's browser, potentially allowing for session hijacking or phishing attacks. The vulnerability is present when user input is directly rendered into the DOM without proper escaping.

Impact

Exploitation of this vulnerability allows for reflected Cross-Site Scripting (XSS), where injected scripts are executed in the context of the user's browser session.

Reproduction

To reproduce this vulnerability, create a NiceGUI application that uses 'ui.html()' or 'ui.chat_message()' with unescaped user input. For example, an input field can be set up to render its value directly into the page using 'ui.html()' without sanitization. When a user inputs HTML content, such as an image tag with an 'onerror' event, the injected JavaScript will be executed, demonstrating the XSS vulnerability.

Remediation

Users can upgrade to NiceGUI version 3.0.0 or later, where this vulnerability has been fixed. For applications that require HTML rendering, it is recommended to use the 'sanitize' parameter with 'ui.html()' or 'ui.chat_message()' to remove any potentially harmful content before displaying it.