NiceGUI Cross-Site Scripting Vulnerability in Interactive Image Component

A cross-site scripting (XSS) vulnerability has been identified in NiceGUI, a Python-based UI framework, affecting versions through 3.3.1. The issue arises in the 'ui.interactive_image' component, which renders SVG content using Vue's 'v-html' directive without proper sanitization. This flaw allows attackers to inject malicious HTML or JavaScript via the SVG '<foreignObject>' tag, particularly threatening dashboards or multi-user applications that display user-generated content or annotations.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where injected scripts are executed when the image component is rendered or updated. This is especially concerning in environments that showcase user-generated content or annotations.

Reproduction

To reproduce this vulnerability, create a NiceGUI application and use the 'ui.interactive_image' component to load an image from a URL. Then, set the 'content' property of the image to include SVG markup that injects a script, such as an image tag with an 'onerror' event. When the image component is rendered, the script will execute, demonstrating the XSS vulnerability.

Remediation

Users can update to NiceGUI version 3.4.0 or later, where this vulnerability has been fixed. After updating, it is recommended to review the usage of the 'ui.interactive_image' component and specify a sanitization function for SVG content, especially if it includes user input.