Closed dinhbaouit closed 4 years ago
Thanks @dinhbaouit
I'm currently working on a fix for this that I'll release later today!
@dinhbaouit thanks again for bringing this to my attention! I've tagged the latest release with the updated fix for this and will proceed to get the plugins etc updated.
OK, Thanks sir
Sorry sir, I will delete it.
@darylldoyle You should add a section about how to get in touch for security issues to your README to prevent public reports like this.
Hi, I see the fix still be able to bypass new payload to bypass:
<?xml version="1.0" standalone="no"?>
<svg viewBox="0 0 100 100" xmlns="http://www.w3.org/2000/svg">
<a href="javascrip	t:alert('0xd0ff9')">
<circle cx="50" cy="40" r="35"/>
</a>
</svg>
Why don't you use whitelist to sanitize like xlink:href?
This regex:
const SCRIPT_REGEX = '/(?:\w+script|data)(?:\s)?:/xi';
doesn't safe, \s can put anywhere in "script" string like this:
s\sc\sr\si\sp\st
@dinhbaouit whilst you're correct, this does get through the sanitiser in a way, I'm struggling to get it to actually execute. The spacing in the middle of the javascript
keyword, seems to stop browsers from picking up and executing the script:
<?xml version="1.0" standalone="no"?>
<svg viewBox="0 0 100 100" xmlns="http://www.w3.org/2000/svg">
<a href="javascrip t:alert('0xd0ff9')">
<circle cx="50" cy="40" r="35"/>
</a>
</svg>
The above is what's left if you can show me a way to get this to execute in a browser, as the first bypass you posted did, then I'll be happy to look, otherwise, I'll leave this one alone as it's not causing any real issues.
POC for new version plugin wordpress 1.9.5 entities do not convert to raw data, it will be html encoded https://www.youtube.com/watch?v=hnQA2hc-4_k&feature=youtu.be
Using payload below to bypass XSS filter:
Video POC: https://www.youtube.com/watch?v=MIAiX4gkp6U&feature=youtu.be