XSS vulnerability in blog posts

HermanMartinus / bearblog

Free, no-nonsense, super fast blogging.

MIT License

2.36k stars 73 forks source link

XSS vulnerability in blog posts #263

Closed willmeyers closed 7 months ago

willmeyers commented 7 months ago

@HermanMartinus

I discovered an XSS vulnerability that should be patched.

To reproduce:

Create a new blog post titled: `
Within the post's body add the template tag {{ post_title }}
Navigate to blog post and JS will execute

I believe other template tags might also be available which could include other security issues.

HermanMartinus commented 7 months ago

Good catch. I'll make it safe today.

HermanMartinus commented 7 months ago

It turns out that Pygments (the syntax highlighter) was unescaping escaped characters. I've changed it to selectively handle syntax highlighting, and manually escaping the injected content.

Fixed in da95468f8c7dd3643d3759d9b63f5204b2c49baf