search

patorjk / Extendible-BBCode-Parser

Allows you to parse BBCode and to extend the markup to add your own tags. All major tags are supported and parser reports back any errors it finds.
http://patorjk.com/bbcode-previewer/
MIT License
133 stars 54 forks source link

Not escaping " to " in process function #25

Open termermc opened 4 years ago

termermc commented 4 years ago

The process function used for sanitizing input does not process " and therefore in some cases (especially with custom tags) cause possibly XSS vulnerabilities. For example, if I created a tag that began with <img src="/myimage.png" title=" and then ended with " />, the user could input " onerror="alert('malicious javascript')" href=" and execute malicious JS. This does not seem to affect any of the default tags provided with XBBCode-Parser, but it's a huge security hole that's not obvious to people creating their own tags. I suggest that " be escaped to &quot;", along with'being escaped to'(in case the developer used'instead of"`).

Thanks

Merulast commented 1 year ago

you probably want to call this function at the begin of the process 

    function securityFixes(text) {
        return text
            .replaceAll("'", '&quot;')
            .replaceAll('"', '&apos;')
            .replaceAll(';', '&#59;');
    }

Semicolon got added in case someone wants to break out of style settings somewhen.