New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Stored XSS in WYSIWYG mode only while removing blockquotes #1021
Labels
Comments
@NkxxkN Thanks for reporting the bug. Test the PR and I'll merge if there is no problem. |
Sorry I forgot to link the PR #1022 |
js87zz
pushed a commit
that referenced
this issue
Jun 17, 2021
* refactor: split distribution for chart extension (fix #1021) * refactor: split distibution for uml extension (fix #1021) * refactor: split distribution for colorSyntax extension (fix#1021) * refactor: split dist for scrollFollow extension (fix #1021) * refactor: split dist for taskCounter extension (fix #1021) * refactor: split dist for mark extension (fix #1021) * refactor: split dist for table extension (fix #1021) * refactor: change ext file path (fix #1021) * refactor: global root to es6 import (fix #1021) * refactor: change ext function name * chore: extension namespace webpack config (#1021) * refactor: static markdownit instance (fix #1021) remove language option from chart, uml extensions * chore: change namespace webpack config (fix #1021) * chore: add script extension bundled build (fix #1021) * fix: plantuml server encodng changed (fix: #1021) * fix: apply code review (fix #1047)
js87zz
pushed a commit
that referenced
this issue
Jun 17, 2021
Squashed commit of the following: commit 9f179e4f0619999b740906abfbee1b8021339ca0 Author: kyuwoo.choi <kyuwoo.choi@nhnent.com> Date: Sat Dec 16 00:59:49 2017 +0900 refactor: demo dep path to bower from npm (fix #1024) commit b13129c10f387cc2382290df38c14cc8639c1192 Author: kyuwoo.choi <kyuwoo.choi@nhnent.com> Date: Fri Dec 15 22:14:09 2017 +0900 style: eslint config commit 88f1862fdfdcb68b5c7b83f1e6c662219d7a7fcb Author: kyuwoo.choi <kyuwoo.choi@nhnent.com> Date: Fri Dec 15 21:27:54 2017 +0900 refactor: namespace to es6 import (fix #1024) commit 652aa682af8d0869d583f8714e8dc2012c0a58fb Author: kyuwoo.choi <kyuwoo.choi@nhnent.com> Date: Fri Dec 15 16:04:46 2017 +0900 refactor: update npm dep & es6 import for packages (fix #1024) commit f9f3d46c67fd31f93539633d7c7b95866da2f719 Author: kyuwoo.choi <kyuwoo.choi@nhnent.com> Date: Fri Dec 15 11:12:23 2017 +0900 refactor: npm dep update & es6 import jquery, colorpicker (fix #1024) commit 6c05b7c208d363155d8133b83cae084d79233724 Author: kyuwoo.choi <kyuwoo.choi@nhnent.com> Date: Thu Dec 14 20:20:06 2017 +0900 fix: broken wepack external conf for serve (fix #1021) commit 1a4f92fb92dc5dc53f91cba508209eb77f5701d9 Author: kyuwoo.choi <kyuwoo.choi@nhnent.com> Date: Thu Dec 14 17:18:11 2017 +0900 chore: update dependencies (fix #1024)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
While auditing a client using tui editor in WYSIWYG only mode, I found a persistent XSS which requires user interaction.
It is different from #703 because it can be triggered by removing an input from another user, and not from copy/pasting a payload. This means that it can be leverage as a stored XSS.
The payload is a little bit different too:
<svg><svg onload=alert('xss')>
is enough to trigger the XSS.The code vulnerable is the following:
https://github.com/nhn/tui.editor/blob/master/apps/editor/src/js/wwCodeBlockManager.js#L354
firstLine
is not sanitized properly.To Reproduce
Steps to reproduce the behavior:
<svg><svg onload=alert('xss')>
.[CURSOR HERE]<svg><svg onload=alert('xss')>
.Expected behavior
No XSS :)
Screenshots
Desktop:
The text was updated successfully, but these errors were encountered: