Sablier
Sablier
DeFiFoundry
53,440 USDC
View results
Previous Next
Submission Details
Severity: medium
Valid

Symbol limitations do not prevent minimal XSS injection

n0kto

Description

The function SablierV2NFTDescriptor::safeAssetSymbol includes a check designed to mitigate potential script injections into the symbol string. However, the current limit does not provide complete security.

The smallest possible XSS, assuming control over the HTML tag (but not the URL), is as follows: <svg/onload=eval(name)>
If name is a single letter, the total length would be 20. This means that in several scenarios, it is still feasible to inject scripts into the symbol string.

// The length check is a precautionary measure to help mitigate potential security threats from malicious assets
// injecting scripts in the symbol string.
if (bytes(symbol).length > 30) {
return "Long Symbol";
} else {
return symbol;
}

Risk

Likelyhood: Low

  • The probability of executing a minimal XSS is low, as several conditions must be met.

Impact: High (but not on the protocol)

  • Potential for script injection on websites that integrate Sablier NFTs.

Recommended Mitigation

-if (bytes(symbol).length > 30) {
+if (bytes(symbol).length > 19) {
return "Long Symbol";
} else {
return symbol;
}
Updates

Lead Judging Commences

inallhonesty Lead Judge over 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

SVG Injection

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.