html2pdf.js Cross-Site Scripting Vulnerability

A cross-site scripting (XSS) vulnerability has been identified in html2pdf.js versions prior to 0.14.0. The issue arises when the library is given a text source instead of an element, as the text is not properly sanitized before being added to the DOM. This oversight allows malicious scripts to execute in the client's browser, potentially leading to session hijacking, data theft, and unauthorized actions. The vulnerability has been fixed in version 0.14.0 by sanitizing text sources with DOMPurify.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where an attacker can execute arbitrary JavaScript in the context of the user's browser. This could lead to session hijacking, data theft, or unauthorized actions on behalf of the user.

Reproduction

To reproduce this vulnerability, use html2pdf.js version prior to 0.14.0 and provide a string as the source instead of an element. The string can include malicious JavaScript payloads, such as an image tag with an 'onerror' event or a script tag. When the pdf is generated, the JavaScript will execute in the context of the user's browser.

Remediation

Users should update to html2pdf.js version 0.14.0 or later, and ensure that any text sources are properly sanitized before use.