search

prismicio / prismic-dom

Set of helpers to manage Prismic data
https://prismic.io/docs/technologies/prismic-dom-technical-reference
44 stars 16 forks source link

XSS Vulnerability #26

Closed nickw444 closed 6 years ago

nickw444 commented 6 years ago

It seems #22 hasn't really moved, maybe due to the title not being as alarting. Hopefully re-raising it with a more alarming title will warrant some action.

I'd suggest anyone looking to use Prismic for rendering HTML into their website avoid the service until this issue is resolved.

When using primsic-dom to render content written from Prismic CMS, an XSS attack could occur by a content author, potentially stealing sensitive user information.

Steps to reproduce:

  1. Set up a schema with a rich text field
  2. Write some thing in the field in plain text that could be evaluated as DOM nodes:
Foo Bar Baz
<script>window.alert('xss')</script>
  1. Fetch the content from the Prismic API, paying attention to the field. Note that there isn't even a span declared there, it's just plain text:
[
  {
    "type": "paragraph",
    "text": "Foo Bar Baz",
    "spans": []
  },
  {
    "type": "paragraph",
    "text": "<script>window.alert('xss')</script>",
    "spans": []
  }
]
  1. Run the field through prismic-dom:
const rendered = PrismicDOM.RichText.asHtml(...);
  1. Observe XSS as you think you're safely doing a document.body = rendered:
<p>Foo Bar Baz</p><p><script>window.alert('xss')</script></p>

/cc @benjaminjt

srenault commented 6 years ago

@nickw444 Thanks for reporting this. We're going to look at it ASAP.

nickw444 commented 6 years ago

Hi @srenault any update on this?

nickw444 commented 6 years ago

14 days have past since opening this issue, is there any update on this? My team may have to cancel our Prismic subscription if this is not resolved in a timely manner.

Duaner commented 6 years ago

Hello @nickw444 it's fixed now.

nickw444 commented 6 years ago

Confirmed fixed!