CVE-2018-6341

Step 1: Payload Injection: The attacker crafts a malicious attribute name containing JavaScript code (e.g., onmouseover=alert(1)). Step 2: User Input: The attacker's crafted attribute name is provided as user input to the React application, likely through a form, URL parameter, or other data input mechanism. Step 3: Server-Side Rendering: The React application uses ReactDOMServer to render the component containing the user-supplied attribute name to HTML on the server-side. Step 4: Unescaped Output: The ReactDOMServer API fails to properly escape the malicious attribute name. Step 5: HTML Generation: The unescaped attribute name, including the malicious JavaScript, is included directly in the generated HTML. Step 6: Browser Execution: The generated HTML is sent to the user's browser. When the browser parses the HTML, the JavaScript embedded in the attribute name is executed, leading to the XSS vulnerability.

The vulnerability stems from a lack of proper escaping within the ReactDOMServer API when rendering HTML attributes. Specifically, the code did not sanitize or encode user-supplied attribute names before inserting them into the generated HTML. This allowed an attacker to inject malicious JavaScript code into attribute names, which would then be executed by the browser. The root cause is a missing or inadequate implementation of HTML entity encoding or other sanitization techniques within the React rendering process for attribute names. This oversight allowed for the injection of arbitrary HTML and JavaScript, bypassing security measures designed to prevent XSS attacks.