# Vulnerability Summary: Stored XSS in JeecgBoot Message Content ## Vulnerability Overview A stored Cross-Site Scripting (XSS) vulnerability exists in the `msgContent` parameter of the JeecgBoot `/a/msg/msgInner/save` interface. Attackers can bypass the server-side regex-based filtering mechanism by constructing malicious HTML content (e.g., ``). When other users view the message, the malicious script will execute in their browsers. ## Impact Scope - **Affected Versions**: JeecgBoot 5.1.5 and earlier - **Exploitation Conditions**: The user must have permission to send messages - **Impact**: Can lead to arbitrary JavaScript execution, session hijacking, privilege escalation, etc. ## Remediation ### Short-term Fixes 1. **Frontend Filtering**: Use DOMPurify to whitelist-filter content rendered via `v-html` ```javascript import DOMPurify from 'dompurify'; // Before assigning to v-html const sanitized = DOMPurify.sanitize(rawContent, { ALLOWED_TAGS: ['p', 'span', 'br', 'b', 'i', 'u', 'strong', 'em', 'a', 'ul', 'ol', 'li', 'h1', 'h2', 'h3', 'blockquote'], ALLOWED_ATTR: ['style', 'href', 'target', 'class'], ALLOW_DATA_ATTR: false, ALLOWED_URI_REGEXP: /^(?:(?:(?:f|ht)tps?|mailto|tel|callto|cid|xmpp):|[^a-z]|[a-z+.\-]+(?:[^a-z+.\-:]|$))/i // blocks javascript: and do }); ``` 2. **Enhanced Server-side Filtering**: - Expand the blacklist of tags: Add `object`, `embed`, `svg`, `math`, `video`, `audio`, `form`, `details`, `base`, etc. - Expand protocol checks for attributes: Check all URL-accepting attributes (not just `href` and `src`), and decode HTML entities before matching. ### Long-term Fixes Replace regex-based filtering with a server-side HTML security library (such as OWASP Java HTML Sanitizer or Jsoup Cleaner) that parses the DOM tree and applies semantic filtering to avoid regex bypasses. ## POC Code ### 1. Inject Malicious Content ```http POST /a/msg/msgInner/save HTTP/1.1 Host: localhost:3000 Content-Length: 300 Origin: http://localhost:3000 ... {"msgContent":""} ``` ### 2. View Message to Trigger XSS ```http GET /a/msg/msgInner/view HTTP/1.1 Host: localhost:3000 ... {"msgContent":""} ``` ### 3. More Powerful Bypass Payload (Using HTML Entity Encoding) ```html ``` or ```html Click to view details ```