i18nextify URL Scheme Validation Vulnerability Leading to DOM-Based Cross-Site Scripting

A vulnerability in the i18nextify library, affecting versions prior to 4.0.8, allows for improper validation of URL schemes in translated content. The library replaces interpolation tokens in 'src' and 'href' attributes with raw translation strings, without verifying the safety of the URLs. This flaw can be exploited to inject malicious scripts or HTML into the DOM, particularly if an attacker can manipulate the translation source or backend response.

Impact

Exploitation of this vulnerability allows for DOM-based Cross-Site Scripting (XSS) attacks by injecting harmful scripts through 'javascript:' URLs or by using 'data:' URLs to execute scripts in the context of the page.

Reproduction

The vulnerability can be reproduced by creating a translation that includes a dangerous URL scheme, such as 'javascript:', 'data:text/html', 'vbscript:', or 'file:'. This can be done by influencing the translation file or backend response, for example, through a compromised translation CDN or by contributing malicious content to user-generated locales. Once the translation is loaded, the harmful URL will be applied to the specified attribute, executing the injected script or payload.

Remediation

Users can upgrade to i18nextify version 4.0.8 or later, where this vulnerability is fixed. The patched version includes a URL-scheme blocklist that removes dangerous prefixes from translated 'href' and 'src' attributes before they are applied to the DOM. For applications with partially trusted translation sources, an optional 'sanitize' hook can be configured to clean HTML content before it is rendered.