Our corporate security policy has a restriction that prevents adding comments to ServiceNow work notes and comments that include embedded HTML. The reasoning is that the user could inject malicious HTML with JavaScript, though I’m not convinced this policy is still valid as ServiceNow has added improvements since this feature was introduced in 2017. We’d like to enable it, so I’m trying to validate the extent of that security risk.
Out of the box, ServiceNow has an HTML Sanitizer that has both a whitelist and backlist of HTML elements and their attributes.
While the following is not a comprehensive list, here’s the sample code that I’m using for testing:
Possible XSS attacks:
1. [code]<script>alert('XSS Attack!');</script>[/code]
2. [code]<img src="image.jpg" onerror="alert('XSS Attack!');" />[/code]
3. [code]<iframe src="https://www.google.com"></iframe>[/code]
4. [code]<a href="javascript:alert('XSS Attack!');">Link</a>[/code]
5. [code]<div style="background-image: url('javascript:alert('XSS Attack')');"></div>[/code]
6. [code]<input type="text" value="XSS" onfocus="alert('XSS Attack');" />[/code]
As expected, the resulting HTML obtained from the browser shows that the HTMLSanitizer either HTML encoded or stripped out the elements and attributes that would allow for code injection:
<br>Possible XSS attacks:
<br>
<br>1. <script>alert('XSS Attack!');</script>
<br>2. <img src="image.jpg">
<br>3. <iframe></iframe>
<br>4. Link
<br>5. <div style="background-image: url('javascript:alert('XSS Attack')');"></div>
<br>6. <input type="text"></div>
The only exception is the CSS attack through an inline-style where a URL could point to a JavaScript block:
<div style="background-image: url('javascript:alert('XSS Attack')');" />
The Network tab of the Developer tools shows that the inline style was evaluated, but failed with a net::ERR_UNKNOWN_URL_SCHEME
It appears that Chrome 129 doesn’t recognize the javascript:
url scheme in this context.
As I’m not a web developer, is there a good reference material that would list which browsers support this and would therefore be vulnerable?