search

esledov / flarum-ext-quill

Quill WYSIWYG editor for Flarum
8 stars 5 forks source link

quill is not safe #2

Open sijad opened 6 years ago

sijad commented 6 years ago

see quilljs/quill#981 for more info.

for reproducing xss go to http://flarum.courierhost.com/d/15-xss and edit the last post.

https://youtu.be/w1uPaI0Vvds

esledov commented 6 years ago

sijad,

Thank you for your interest in this. Please, correct me if I am wrong.

I think when you insert specially constructed html into quill that affects only your own view before the post is saved.

After post it is saved and shown again (and this is when other users can see it) only limited list of html tags/attributes should be allowed to pass through the flarum's s9e text formatter machinery.

sijad commented 6 years ago

s9e text only affects on output, in https://github.com/esledov/flarum-ext-quill/blob/440a8b827cb562f39ed84bf349b110ed5d2f0e98/js/forum/src/components/QuillEditor.js#L54 you're feeding quill with original user input which can contains malicious codes. this can also be triggered by admins, if they try to edit attacker post.

a proper fix would be use HTML parser like htmlpurifier to cleanup user input before it goes through s9e. but it is possible to introduce other problems for example user might see different content when he try to edit his posts or even lost some of his contents due htmlpurifier.

esledov commented 6 years ago

you're feeding quill with original user input which can contains malicious codes.

User himself enters html. He can enter the same html into notepad, save it as myfile.html and open it in browser. Does it make notepad unsafe?

this can also be triggered by admins, if they try to edit attacker post

There is no way. When somebody else opens the post, offending html will be sanitized.

There is html filtering on server side. I understand your point, but I think implementing html filtering on client side as well is kind of excessive.

sijad commented 6 years ago

User himself enters html. He can enter the same html into notepad, save it as myfile.html and open it in browser. Does it make notepad unsafe?

it's not a self xss, as I said this can be triggered by admins when they try to edit attacker post.

There is no way. When somebody else opens the post, offending html will be sanitized.

you can login as an admin and try to edit this post: http://flarum.courierhost.com/d/16-xxs-again

esledov commented 6 years ago

I am logged in as admin now.

When I am looking at the source of this post

  <div class="Post-body">
      &lt;svg onload=alert(document.location)&gt;
  </div>

I see that svg tag is sanitized.

When I open post for editing, I don't see any content. I assume it was filtered out.

sijad commented 6 years ago

didn't you see an alert when you click on edit link?

esledov commented 6 years ago

Nope

sijad commented 6 years ago

https://youtu.be/skdBnMt4fh4

I just want to make sure we're in same page, as I said before quill is not safe (unlike TinyMCE and CKEditor). I just wanted to warn you, as this impact all Flarum users.