NiceGUI Cross-Site Scripting Vulnerability in History Navigation Methods

A cross-site scripting (XSS) vulnerability exists in NiceGUI, a Python-based UI framework, in versions 2.13.0 prior to 3.4.1. The issue arises when developers pass user-controlled strings into the 'ui.navigate.history.push()' or 'ui.navigate.history.replace()' methods. These methods are intended to update the browser URL without reloading the page. However, if the URL argument is not properly escaped before being embedded into generated JavaScript, an attacker can inject a payload that escapes the string context and executes arbitrary JavaScript in the victim's browser. This vulnerability affects any NiceGUI application that forwards untrusted input into these navigation methods.

Impact

Exploitation of this vulnerability allows for DOM-based cross-site scripting, where attacker-controlled input is embedded into JavaScript via the 'ui.navigate.history.push()' or 'ui.navigate.history.replace()' methods. This could lead to client-side code execution, injection of phishing user interfaces, or other typical XSS impacts.

Reproduction

To reproduce this vulnerability, create a NiceGUI application that uses 'ui.navigate.history.push()' or 'ui.navigate.history.replace()' with untrusted input. This input can be controlled by the attacker, such as through URL path segments or query parameters. Once the application is running, click a button that triggers the navigation method with the crafted payload, which can include JavaScript execution commands, such as an alert displaying the document's domain.

Remediation

Users can update to NiceGUI version 3.5.0, which addresses this vulnerability by properly escaping user-defined URLs in the 'ui.navigate.history.push()' and 'ui.navigate.history.replace()' methods.