Possible XSS problem in moddle-xml reader.js file


#1

Hi,

We integrated bpmn-js as viewer in our product, the version of bpmn-js is “v0.16.2” and bpmn-moddle is “v0.12.2”. Recently a veracode scan reports that there is a potential XSS (cross-site scripting) problem in the /bpmn-io/moddle-xml/lib/reader.js, line parser.write(xml).close();

The code as following utilize Saxparser to write xml.

  // deferred parse XML to make loading really ascnchronous
  // this ensures the execution environment (node or browser)
  // is kept responsive and that certain optimization strategies
  // can kick in
  defer(function() {
    var error;

    try {
      parser.write(xml).close();
    } catch (e) {
      error = e;
    }

    done(error, error ? undefined : rootHandler.element, context);
  }); 

The veracode scan has attached the details:

Details

This call to Document.write() contains a cross-site scripting (XSS) flaw. The application populates the HTTP response with untrusted input, allowing an attacker to embed malicious content, such as Javascript code, which will be executed in the context of the victim’s browser. XSS vulnerabilities are commonly exploited to steal or manipulate cookies, modify presentation of content, and compromise confidential information, with new attack vectors being discovered on a regular basis.

Can you help to verify if this is a real XSS problem, and if is false positive, can you attache the reasons.
If it is a XSS problem, do we have fix for it?

Thanks in advance!

Best regards,
Yvonne


#2

This is a false positive.

parser is not an instance of Document but an instance of the XML parser.