search

ncase / nutshell

Make expandable explanations!
https://ncase.me/nutshell/
Creative Commons Zero v1.0 Universal
518 stars 32 forks source link

xss in nutshell #32

Open arxenix opened 1 year ago

arxenix commented 1 year ago

If nutshell processes on untrusted (but sanitized) content, there are some XSS vulnerabilities:

e.g.

<a href="x">:test&lt;img src=x onerror=alert(1)&gt;</a>

gets transformed to

<a href="x" class="nutshell-expandable" mode="closed">
<span class="nutshell-expandable-text">
test<img src="x" onerror="alert(1)">
</span>
<span class="nutshell-ball-up" style="background: rgb(0, 0, 0);"></span>
<span class="nutshell-ball-down" style="background: rgb(0, 0, 0);"></span>
</a>

there's also xss with untrusted youtube urls, e.g. the URL https://youtu.be/pQ2dI_B_Ycg?t=36"></iframe><img src=x onerror="alert(1)">

<a href='https://youtu.be/pQ2dI_B_Ycg?t=36"></iframe><img src=x onerror="alert(1)">'>:xss</a>

DOMPurify should always be run as the very last step before inserting anything into the DOM. Currently nutshell doesn't do this so there's a few ways to obtain XSS. This should fix potential issues (but also, ideally the code should be rewritten to avoid all the HTML concatention and instead use dom node/tree operations)