Open spaceraccoon opened 1 year ago
that vulnerability is currently not triggerable in anyway that's actually useful to an attacker that I can think of, but it will be when #368 gets implemented.
I don't think set_inner_text
would do the trick, you are supposed to be able to insert (a safe subset of) html in a blog post. What should be done is the same kind of sanitization that's done when publishing.
Makes sense, I saw in the UI what seemed like possible shared editing features.
I recommend DOMPurify to do the sanitization since it's the most robust whitelisting solution IMO!
Hi,
There is a stored XSS caused be the conversion of a blog post's contents from the classic editor to the new editor. When clicking the button to switch to the new editor, the code at
editor.rs
(https://github.com/Plume-org/Plume/blob/97cbe7f4461bcd072d27364809092aa3d80be32f/plume-front/src/editor.rs#L383-L401) uses the WebAssembly-JS bridge to runcontent.set_inner_html(&content_val);
using the post's text. If the text contains HTML tags like<img src=x onerror=alert()>
, an XSS will occur.<img src=x onerror=alert()>
.To fix this, you should use
content.set_inner_text(&content_val);
instead.