search

Plume-org / Plume

Federated blogging application, thanks to ActivityPub (now on https://git.joinplu.me/ — this is just a mirror)
https://joinplu.me
GNU Affero General Public License v3.0
2.1k stars 133 forks source link

[Vulnerability] Stored XSS via init_editor #1095

Open spaceraccoon opened 1 year ago

spaceraccoon commented 1 year ago

Hi,

There is a stored XSS caused be the conversion of a blog post's contents from the classic editor to the new editor. When clicking the button to switch to the new editor, the code at editor.rs (https://github.com/Plume-org/Plume/blob/97cbe7f4461bcd072d27364809092aa3d80be32f/plume-front/src/editor.rs#L383-L401) uses the WebAssembly-JS bridge to run content.set_inner_html(&content_val); using the post's text. If the text contains HTML tags like <img src=x onerror=alert()>, an XSS will occur.

  1. In a Plume instance, create a post draft in a blog using the classic editor with the contents <img src=x onerror=alert()>.
  2. Autosave.
  3. Switch to the new editor. An alert box will pop.

To fix this, you should use content.set_inner_text(&content_val); instead.

trinity-1686a commented 1 year ago

that vulnerability is currently not triggerable in anyway that's actually useful to an attacker that I can think of, but it will be when #368 gets implemented.

I don't think set_inner_text would do the trick, you are supposed to be able to insert (a safe subset of) html in a blog post. What should be done is the same kind of sanitization that's done when publishing.

spaceraccoon commented 1 year ago

Makes sense, I saw in the UI what seemed like possible shared editing features.

I recommend DOMPurify to do the sanitization since it's the most robust whitelisting solution IMO!