search

OvidijusParsiunas / deep-chat

Fully customizable AI chatbot component for your website
https://deepchat.dev
MIT License
1.27k stars 175 forks source link

JS/XSS Injection via execCommand in PasteUtils #95

Closed akhil-reni closed 5 months ago

akhil-reni commented 5 months ago

Vulnerable code

export class PasteUtils {
  public static sanitizePastedTextContent(event: ClipboardEvent) {
    event.preventDefault();
    const text = event.clipboardData?.getData('text/plain');
    document.execCommand?.('insertHTML', false, text);
  }
}

Description

A potential security vulnerability exists in the PasteUtils class, specifically in the sanitizePastedTextContent method. The current implementation uses document.execCommand('insertHTML', false, text), which can allow JavaScript injection through pasted content.

Steps to Reproduce

  1. Copy a string that includes JavaScript code.
  2. Paste it into the relevant field where PasteUtils.sanitizePastedTextContent is used.
  3. The JavaScript code gets executed.

Expected Behavior

Pasted text should be sanitized to prevent any potential JavaScript execution.

Actual Behavior

JavaScript can be executed through the execCommand('insertHTML', ...) method, leading to potential security risks.

Suggested Fix

Replace document.execCommand('insertHTML', false, text) with document.execCommand('insertText', false, text). This change will insert the text as plain text, mitigating the risk of JavaScript execution.

Additional Information

Screenshot 2024-01-11 at 12 29 53 PM
OvidijusParsiunas commented 5 months ago

You're an absolute star for raising this @akhil-reni. I have included this change in the following commit. This should hopefully be included in the main release tomorrow. Thanks!

OvidijusParsiunas commented 5 months ago

This has now been released in version 1.4.7. Thankyou!