search

verbb / vizy

A flexible visual editor for Craft CMS
Other
44 stars 8 forks source link

XSS attacks are possible #109

Closed mmatuzovic closed 2 years ago

mmatuzovic commented 2 years ago

Description

XSS attacks are possible because HTML written into the visual editor gets rendered.

Steps to reproduce

  1. Add random HTML into the visual editor (not raw editing mode) , e.g. 
    
<p>This is a <strong>paragraph</strong>.</p>


Expected behavior: If I add HTML in the visual editor, brackets, etc. should be converted to entities.
Actual behavior: HTML gets rendered, which also means that JS will be interpreted.

**Additional info**
- Plugin version: 1.0.10
- Craft version: 3.7.26
- Multi-site: No

**Additional context**

<img width="1043" alt="Bildschirmfoto 2022-03-03 um 22 34 12" src="https://user-images.githubusercontent.com/47663615/156656485-50ef180a-3ea4-4384-b1ad-ff445f6894c2.png">
<img width="864" alt="Bildschirmfoto 2022-03-03 um 22 34 35" src="https://user-images.githubusercontent.com/47663615/156656490-92613e0e-7b47-4cee-a092-4ed74d46acfe.png">
hiasl commented 2 years ago

I can confirm that. It was reported as an issue at our last security check.

engram-design commented 2 years ago

Hmmm, I'm sure this must have been a regression, as I recall testing this many times. But regardless, you are correct.

Fixed for the next release. To get the fix early, change your verbb/vizy requirement in composer.json to:

"require": {
  "verbb/vizy": "dev-craft-3 as 1.0.10",
  "...": "..."
}

Then run composer update.

engram-design commented 2 years ago

Fixed in 1.0.11

mmatuzovic commented 2 years ago

Thank you for the quick fix!