LeafKit HTML Escaping Vulnerability Leading to Cross-Site Scripting

A cross-site scripting (XSS) vulnerability has been identified in LeafKit, a templating language for Swift. This issue affects versions prior to 1.14.2. The vulnerability arises because HTML escaping is not properly applied when a template renders collections (arrays or dictionaries) using the '#(value)' syntax. As a result, potentially untrusted input can be displayed without proper escaping, creating an XSS risk.

Impact

Exploitation of this vulnerability allows for cross-site scripting (XSS) attacks, where an attacker can inject malicious scripts that are executed in the context of the user's browser.

Reproduction

To reproduce this vulnerability, create a new Vapor project with Leaf as the templating engine. Use a Leaf template that includes a collection variable rendered with '#(value)'. In the corresponding route, pass a dictionary or array containing unescaped HTML, such as an image tag with an 'onerror' attribute. When the template is rendered, the injected script will execute, demonstrating the XSS vulnerability.

Remediation

Users can update to LeafKit version 1.14.2 or later, where this vulnerability has been fixed.