XSS vulnerability with ID

wickedest / Mergely

Merge and diff documents online

http://www.mergely.com

Other

1.17k stars 228 forks source link

Closed wickedest closed 6 years ago

wickedest commented 6 years ago

An application already vulnerable to XSS could force Mergely to construct DOM from an untrusted source.

cnotin commented 6 years ago

For reference, the payload to exploit the vulnerability was:

Injection point inside the page

<div class="mergely-full-screen-8">
<div class="mergely-resizer">
    <div id='toto"><script>alert(123)</script>'>
    </div>
</div>
</div>

JavaScript to enable Mergely on it:

<script type="text/javascript">
$(document).ready(function () {
    $(document.getElementsByTagName("div")[2]).mergely({});
});
</script>