Leafkit Templating Language HTML Escaping Vulnerability Leading to XSS

A vulnerability in the Leafkit templating language, prior to version 1.4.1, allows for improper HTML escaping of special characters. The issue arises because the 'htmlEscaped' function only escapes characters if the extended grapheme clusters match. This flaw can be exploited by using a cluster that combines a special HTML character with additional characters, bypassing the escape mechanism. In the context of HTML attributes, this could lead to Cross-Site Scripting (XSS) if a Leaf variable containing user-controlled data is included in the attribute.

Impact

Exploitation of this vulnerability could result in Cross-Site Scripting (XSS) attacks, particularly if the affected site does not implement a strong Content Security Policy (CSP).

Reproduction

To reproduce this vulnerability, create a Vapor application that uses Leaf as the templating engine. In the 'routes.swift' file, set up a POST route that accepts user input and renders a Leaf template. The template should include an HTML attribute that references a Leaf variable. When posting data, include a value that exploits the HTML escaping flaw, such as a quotation mark combined with a combining accent, along with a JavaScript payload, like an 'onfocus' event.

Remediation

Users can upgrade to Leafkit version 1.4.1 or later, where this vulnerability has been fixed.