@cyntler/react-doc-viewer Cross-Site Scripting Vulnerability in TXTRenderer Component

A Cross-Site Scripting (XSS) vulnerability exists in the @cyntler/react-doc-viewer package, specifically in version 1.17.1. The issue arises in the TXTRenderer component, which processes raw content from .txt files by directly casting it as a ReactNode without proper sanitization. This flaw allows remote attackers to execute arbitrary JavaScript by uploading a maliciously crafted .txt file.

Impact

Exploitation of this vulnerability allows for the execution of arbitrary JavaScript in the context of the user's browser. This could lead to session hijacking through the theft of cookies or local storage data, unauthorized actions performed on behalf of the user, application defacement, and phishing attacks targeting users of the affected platform.

Reproduction

To reproduce this vulnerability, create a .txt file containing malicious HTML or JavaScript, such as a script tag or an image tag with an error event handler. When this file is opened in the document viewer, the embedded scripts will execute, demonstrating the XSS vulnerability.

Remediation

To address this vulnerability, sanitize the input using a library like DOMPurify before rendering, or avoid casting raw strings to ReactNode. For example, import DOMPurify, sanitize the file data, and use dangerouslySetInnerHTML to render the sanitized content.