Hi, The example you've given is showing that DSpace is simply turning the "user input" into plain text. It is not allowing for scripts to be executed, as would be required for an XSS attack, as the "<script>" tag (in your example) is never executed...it's just displayed as if it were plain text.
Angular itself has quite robust XSS protections built-in. DSpace does not disable these protections, which means that user input, by default, it untrusted and escaped in Angular so that it cannot be executed. See the Angular docs at https://angular.dev/best-practices/security#preventing-cross-site-scripting-xss on how this works. So, the behavior you are seeing is *escaped user input*...it has been turned into plain text, so that it cannot be executed in the user's browser. Therefore, I believe this is a "false positive" from your Qualys WAS Report. If you've somehow found a way to *bypass* that escaped user input, then I'd ask that you report the *exact exploit* to secur...@dspace.org and we'll take a closer look. See also our Security Policy at https://github.com/DSpace/DSpace/security. Thanks, Tim On Monday, February 24, 2025 at 9:41:30 AM UTC-6 hbla...@gmail.com wrote: > Dear dspace-tech Team, > > I am writing to request your support regarding a critical Cross-Site > Scripting (XSS) vulnerability that has been detected in our repository. > According to the recent Qualys WAS report, a reflected XSS vulnerability > has been identified on the browsing interface (specifically within the > "browse/author" endpoint) of our repository. The report confirms that > unsanitized user input is being echoed in the HTML response, which could > allow an attacker to inject malicious scripts. > > Key details include: • The vulnerability has been assigned a Severity > Level 5, indicating a confirmed and critical issue. • The issue appears > when user-supplied data is not properly HTML-encoded, allowing XSS payloads > to be reflected in the response. • Although no active exploit has been > confirmed yet, the potential for credential theft and data compromise is > significant. > > Given the potential impact on our users and the integrity of the > repository, I kindly request your assistance in reviewing the issue and > advising on the appropriate remediation measures. Specifically, guidance on > implementing robust HTML encoding and input validation to prevent the > execution of injected scripts would be highly appreciated. > > for example: > https://demo.dspace.org/browse/author?value=Barquero-Romero,%20Jose%20Pablo%20%3Cscript%3E_q_q%3Drandom(Ppf3jbNx)%3C > > Thank you for your prompt attention to this matter. I look forward to your > expert advice and support to resolve this vulnerability as soon as possible. > > Best regards, > -- All messages to this mailing list should adhere to the Code of Conduct: https://www.lyrasis.org/about/Pages/Code-of-Conduct.aspx --- You received this message because you are subscribed to the Google Groups "DSpace Technical Support" group. To unsubscribe from this group and stop receiving emails from it, send an email to dspace-tech+unsubscr...@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/dspace-tech/7c3c539e-3fcc-447d-9ec8-c3dcc3400c47n%40googlegroups.com.
