Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security Fix for Cross-site Scripting (XSS) - huntr.dev #860

Open
wants to merge 9 commits into
base: master
Choose a base branch
from

Conversation

huntr-helper
Copy link

https://huntr.dev/users/alromh87 has fixed the Cross-site Scripting (XSS) vulnerability 🔨. alromh87 has been awarded $25 for fixing the vulnerability through the huntr bug bounty program 💵. Think you could fix a vulnerability like this?

Get involved at https://huntr.dev/

Q | A
Version Affected | ALL
Bug Fix | YES
Original Pull Request | 418sec#2
Vulnerability README | https://github.com/418sec/huntr/blob/master/bounties/npm/editor.md/1/README.md

User Comments:

📊 Metadata *

Bounty URL: https://www.huntr.dev/bounties/1-npm-editor.md

⚙️ Description *

filterHTML function has been enhanced to properly handle self closing html tags

💻 Technical Description *

filterHTML uses regExp to filter selectively but previous version won't match properly self closing tags leading to improper filtering, regExp has been updated
When using the 'on*' filter attributes where being loaded to Jquery object causing onload property execution

🐛 Proof of Concept (PoC) *

Insert in editor a self clossing element with event to execute code

  1. Download editor.md
    git clone https://github.com/pandao/editor.md
  2. Go into directory
    cd editor.md
  3. Make the content available with any web server
    php -S localhost:8080
  4. open http://localhost:8080/examples/html-tags-decode.html
  5. Filter code execution by clicking on Filter style,script,iframe|onclick,title,onmouseover,onmouseout,style
    (No code should be executed with this Filter)
  6. Insert element with payload usig the editor (New line is important):
    <img src="https://picsum.photos/200" style="position:fixed;left:0;top:0;width:200px;height:200px;z-index:100" onmouseover="alert('img execution...')"/>
    sss
    ```
    
  7. Code will be executed when passing the mouse over the image

Captura de pantalla de 2020-09-10 17-06-44

🔥 Proof of Fix (PoF) *

After fix code execution is avoided as specified

Captura de pantalla de 2020-09-10 17-18-57

👍 User Acceptance Testing (UAT)

Editor works properly after fix:

#Refs:

#715
#764
#816
#709
#701
#700

alromh87 and others added 9 commits March 26, 2020 00:40
Disable script and on events by default to avoid XSS.

User can enable by setting allowScript|allowOn

Readme updated
Merging fix on-behalf of @alromh87 (034-js-editor-md).
fixes #pandao#612
fixes #pandao#662
fixes #pandao#697
fixes #pandao#700
fixes #pandao#701
fixes #pandao#709
fixes #pandao#715
fixes #pandao#764
fixes #pandao#816

### Probably:
fixes #pandao#307
fixes #pandao#560
fixes #pandao#612
fixes #pandao#662
fixes #pandao#697
fixes #pandao#700
fixes #pandao#701
fixes #pandao#709
fixes #pandao#715
fixes #pandao#764
fixes #pandao#816

fixes #pandao#307
fixes #pandao#560
Enhance filterHTML Regexp to handle self closing tags
@langren1353
Copy link

langren1353 commented Apr 28, 2022

似乎一定程度上解决了,但是并没有完全解决
问题行
var text = (typeof el[1] !== "undefined") ? $(el[1]).text() : "";
测试样例:

<a href="zhangsan">sdasda</a> <a href="console.log('aa')">dsdfs</a>

可能的渲染结果为
image

将 $(el[1]).text()变更为$4即可

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants