If "website" field is not empty in a comment, [[+authorName]] generates automatically an <a> tag with "website" as the content of "href" property, without any chances to filter the "href" parameter by ourselves.
Besides this, if any comment has XSS, when you try to manage a thread with the Quip CMP, the table of comments is empty. If you clean in the database the harmful comments, everything works fine.
When writing a new comment in QuipReply, you can put javascript code inside website placeholder. Example:
Proof of Concept:
If email parameter is set as taken as the "href" property for an
<a>
tag (as by default), then it will turn into XSS:quipcomment.chunk.tpl - line 8:
If "website" field is not empty in a comment, [[+authorName]] generates automatically an
<a>
tag with "website" as the content of "href" property, without any chances to filter the "href" parameter by ourselves.Besides this, if any comment has XSS, when you try to manage a thread with the Quip CMP, the table of comments is empty. If you clean in the database the harmful comments, everything works fine.