search

slab / quill

Quill is a modern WYSIWYG editor built for compatibility and extensibility
https://quilljs.com
BSD 3-Clause "New" or "Revised" License
42.86k stars 3.35k forks source link

potential security issue for svg xss attacks. #4063

Open adamskwersky opened 5 months ago

adamskwersky commented 5 months ago

See codepen https://codepen.io/Adam-Skwersky/pen/oNOBXzY

Steps for Reproduction

  1. Visit codepen
  2. Run the codepen, and quill starts in editable mode. Import an XSS file with a 
    
3, Click on "readonly" button to switch the editor to read-only.
4. Then right click on the image and open in new tab. You'll see it opens the alert. This is a demonstration of how an XSS attack can occur through not sanitizing the svg files imported.

**Expected behavior**:
I believe Quill should be secure out of the box, so the built-in image handler should sanitize svg to ensure there are now XSS attacks in it.
**Actual behavior**:
svg files are embedded as-is without sanitizing.

**Platforms**:
effects all platforms
Tested with FireFox 123.0.1, but I believe it impacts most if not all browsers

**Version**:
1.3.6
luin commented 5 months ago

Thanks for reporting this! Can you reproduce this in v2? https://quilljs.com/playground/snow

adamskwersky commented 5 months ago

Thanks for reporting this! Can you reproduce this in v2? https://quilljs.com/playground/snow

I tried using that sandbox but the image picker is different. In the codepen the image picker is a file selection dialog. In the sandbox the image picker is this: image