[SECURITY]: XSS Vulnerability in TurtleBlocksJS Text Block Label Input #505
Description
Summary
A Cross-Site Scripting (XSS) vulnerability exists in the TurtleBlocksJS activity where user input from text block labels is directly inserted into HTML without proper sanitization.
Location
- File:
activities/TurtleBlocksJS.activity/js/block.js - Line: 1501
- Function:
showLabel()
Vulnerable Code
// A place in the DOM to put modifiable labels (textareas).
var labelValue = (this.label)?this.label.value:this.value;
var labelElem = docById('labelDiv');
if (this.name === 'text') {
var type = 'text';
labelElem.innerHTML = '<input id="textLabel" style="position: absolute; -webkit-user-select: text;-moz-user-select: text;-ms-user-select: text;" class="text" type="text" value="' + labelValue + '" />';
labelElem.classList.add('hasKeyboard');
this.label = docById('textLabel');
}Steps to Reproduce
- Open TurtleBlocksJS activity
- Create a new "text" block from the palette
- Double-click to edit the text block
- Enter malicious payload:
"><script>alert('XSS')</script><" - Save the block and edit it again
- XSS payload executes
Impact
- Severity: High
- Attack Vector: User can inject arbitrary JavaScript code
- Scope: Affects anyone using TurtleBlocksJS activity
- Risk: Code execution in user's browser context
Root Cause
User input from this.label.value flows directly into innerHTML without HTML escaping, allowing HTML/JavaScript injection.