Stored XSS in WYSIWYG mode only while removing blockquotes #1021
Labels
Comments
|
@NkxxkN Thanks for reporting the bug. Test the PR and I'll merge if there is no problem. |
|
Sorry I forgot to link the PR #1022 |
js87zz
pushed a commit
that referenced
this issue
Jun 17, 2021
* refactor: split distribution for chart extension (fix #1021) * refactor: split distibution for uml extension (fix #1021) * refactor: split distribution for colorSyntax extension (fix#1021) * refactor: split dist for scrollFollow extension (fix #1021) * refactor: split dist for taskCounter extension (fix #1021) * refactor: split dist for mark extension (fix #1021) * refactor: split dist for table extension (fix #1021) * refactor: change ext file path (fix #1021) * refactor: global root to es6 import (fix #1021) * refactor: change ext function name * chore: extension namespace webpack config (#1021) * refactor: static markdownit instance (fix #1021) remove language option from chart, uml extensions * chore: change namespace webpack config (fix #1021) * chore: add script extension bundled build (fix #1021) * fix: plantuml server encodng changed (fix: #1021) * fix: apply code review (fix #1047)
js87zz
pushed a commit
that referenced
this issue
Jun 17, 2021
Squashed commit of the following:
commit 9f179e4f0619999b740906abfbee1b8021339ca0
Author: kyuwoo.choi <kyuwoo.choi@nhnent.com>
Date: Sat Dec 16 00:59:49 2017 +0900
refactor: demo dep path to bower from npm (fix #1024)
commit b13129c10f387cc2382290df38c14cc8639c1192
Author: kyuwoo.choi <kyuwoo.choi@nhnent.com>
Date: Fri Dec 15 22:14:09 2017 +0900
style: eslint config
commit 88f1862fdfdcb68b5c7b83f1e6c662219d7a7fcb
Author: kyuwoo.choi <kyuwoo.choi@nhnent.com>
Date: Fri Dec 15 21:27:54 2017 +0900
refactor: namespace to es6 import (fix #1024)
commit 652aa682af8d0869d583f8714e8dc2012c0a58fb
Author: kyuwoo.choi <kyuwoo.choi@nhnent.com>
Date: Fri Dec 15 16:04:46 2017 +0900
refactor: update npm dep & es6 import for packages (fix #1024)
commit f9f3d46c67fd31f93539633d7c7b95866da2f719
Author: kyuwoo.choi <kyuwoo.choi@nhnent.com>
Date: Fri Dec 15 11:12:23 2017 +0900
refactor: npm dep update & es6 import jquery, colorpicker (fix #1024)
commit 6c05b7c208d363155d8133b83cae084d79233724
Author: kyuwoo.choi <kyuwoo.choi@nhnent.com>
Date: Thu Dec 14 20:20:06 2017 +0900
fix: broken wepack external conf for serve (fix #1021)
commit 1a4f92fb92dc5dc53f91cba508209eb77f5701d9
Author: kyuwoo.choi <kyuwoo.choi@nhnent.com>
Date: Thu Dec 14 17:18:11 2017 +0900
chore: update dependencies (fix #1024)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
While auditing a client using tui editor in WYSIWYG only mode, I found a persistent XSS which requires user interaction.
It is different from #703 because it can be triggered by removing an input from another user, and not from copy/pasting a payload. This means that it can be leverage as a stored XSS.
The payload is a little bit different too:
<svg><svg onload=alert('xss')>is enough to trigger the XSS.The code vulnerable is the following:
https://github.com/nhn/tui.editor/blob/master/apps/editor/src/js/wwCodeBlockManager.js#L354
firstLineis not sanitized properly.To Reproduce
Steps to reproduce the behavior:
<svg><svg onload=alert('xss')>.[CURSOR HERE]<svg><svg onload=alert('xss')>.Expected behavior
No XSS :)
Screenshots
Desktop:
The text was updated successfully, but these errors were encountered: