Javascript Kony Browser Html String
Description
Detects potentially unsafe HTML string configurations in Kony UI Browser components that could enable Cross-Site Scripting (XSS) attacks. When browser components are initialized with unvalidated HTML content, attackers could inject malicious scripts that execute in the browser context.
Detection Strategy
• Look for Kony UI Browser component initialization calls (kony.ui.Browser)
• Examine the first argument passed to the Browser constructor
• Check if the configuration object contains unsafe HTML string content or unvalidated dynamic content
• Flag instances where browser content is not properly sanitized or validated before rendering
Vulnerable code example
function displayUserContent() {
var userInput = frmMain.userTextField.text; // Untrusted user input from form field
var browser = new kony.ui.Browser({
id: "contentBrowser",
isVisible: true,
htmlString: userInput // VULNERABLE: Raw user input directly used in HTML context
}, {
containerHeight: 100 ...✅ Secure code example
function displayUserContent() {
var userInput = frmMain.userTextField.text;
// Option 1: Encode user input to prevent XSS
var encodedContent = kony.string.escapeHTML(userInput); // Sanitize user input
var browser = new kony.ui.Browser({
id: "contentBrowser",
isVisible: true,...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.