Admin UI - User Creation XSS Vulnerability

[sarkalgud-b]

Describe the bug

We are using the Skoruba Duende Admin Module out of the box for our project.
We noticed that Admin UI - User Creation Screen "Phone Number" field is exposed to XSS attacks..
Looking at the Admin UI code on GitHub, we noticed that there is no "asp-validation-for" attribute on the Phone Number input tag (or an associated span tag for the phone number).
Is there a fix that could be provided?

To Reproduce

As an Admin While creating a new user, In the Phone Number field use "${alert(location)}"
Login as the user that we created in the previous step
The script injection runs as a part of the login process, and the alert pops up ..

Relevant parts of the log file

<log goes here>

[skoruba]

Let me check it. 👁️

[skoruba]

I am testing it and I am not able to reproduce it. Can you send me a screenshot, where you can see this alert in the page? thanks.

[sarkalgud-b]

The alert happens in the application page using the above created user in the admin module..
The script insertion happens during user creation..

Whan that user information is accessed using the below code in client applications, the alert pop-up appears...

Controller code -
protected AppUser AppUser
{
get
{
if (_appUser is null)
{
_appUser = _identityRepo.GetUserForWeb(User) ?? new AppUser();
}
}
}

View.cshtml code

<script> var app = app || {}; app.global = (() => { return { securityUrl: '@_cfg["Authority"]', apiUrl: '@_cfg["API"]', baseUrl: '@Url.Content("~")', theme: @Html.Raw(Json.Serialize(ViewBag.theme)), contextClinicId: () => { let id = localStorage.getItem(`${JSON.parse('@Html.Raw(ViewBag.AppUser)').UserName}_SelectedClinicId`); if (id == '00000000-0000-0000-0000-000000000000') { id = "0"; } return id; }, appUser: JSON.parse(`@Html.Raw(ViewBag.AppUser)`) } })(); document.addEventListener('DOMContentLoaded', _ => app.headerComponent.init()); </script>

[skoruba]

Thanks for your code.

This behavior is not caused by the Admin UI itself — it happens in your client application, where the user data is rendered with @Html.Raw(ViewBag.AppUser) inside a <script> block. That disables HTML encoding.

Try this instead:

@inject Microsoft.AspNetCore.Mvc.ViewFeatures.IJsonHelper Json

<script>
  const appUser = @Json.Serialize(ViewBag.AppUser);
</script>

I would also recommend using the Duende BFF package to handle user information. It provides a better and more secure way to retrieve user data on the client side.

Please check this link: https://docs.duendesoftware.com/bff/