joemccann
commented
2 years ago Nice catch. Pull requests are accepted!
On Wed, Sep 22, 2021 at 00:56 Oscar Arnflo @.***> wrote:
It seems that the document name is not escaped properly when previewing a document as HTML.
https://github.com/joemccann/dillinger/blob/master/plugins/core/server.js#L13
PoC: poc.html.txt https://github.com/joemccann/dillinger/files/7208779/poc.html.txt
The POST body parameter name lets an attacker inject any arbitrary HTML entities:
[image: dillinger_xss] https://user-images.githubusercontent.com/7303376/134304280-e29b176c-9604-499c-90a1-a1fb4efe3110.png
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/joemccann/dillinger/issues/820, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAALY2SAWNPWGHK5YIX7KJ3UDGD4FANCNFSM5EQVOTXQ . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.
-- Sent from Joe in Real Life
It seems that the document name is not escaped properly when previewing a document as HTML. https://github.com/joemccann/dillinger/blob/master/plugins/core/server.js#L13
PoC: poc.html.txt
The POST body parameter name lets an attacker inject any arbitrary HTML entities: