fast-xml-builder XML Injection Vulnerability in Attribute Handling

A vulnerability in fast-xml-builder versions prior to 1.1.7 allows for the injection of unwanted attributes into XML or HTML. This occurs when input data contains quotes in attribute values, but the 'process entities' option is not enabled, causing the attribute value to be split into multiple attributes.

Impact

Exploitation of this vulnerability could lead to the injection of malicious attributes into the generated XML or HTML, potentially causing unintended behavior in applications that process this output.

Reproduction

To reproduce this vulnerability, input JSON data must be crafted with quotes in the attribute values. When the 'process entities' flag is set to false, the fast-xml-builder will incorrectly parse the attribute value, splitting it into multiple attributes. This can be verified by including a JavaScript event handler, such as 'onClick', in the attribute value, which will be executed when the resulting HTML is rendered.

Remediation

Users are advised to update to fast-xml-builder version 1.1.7 or later. If an immediate update is not possible, ensure that the 'process entities' flag is set to true.