Fixed XSS on hexo-admin post editor

[Asjidkalam]

📊 Metadata *

Fixed Cross-site scripting vulnerability

Bounty URL: https://www.huntr.dev/bounties/1-npm-hexo-admin

⚙️ Description *

A Cross-site scripting vulnerability exists on hexo-admin plugin's create-post functionality.
Issue: jaredly#185
Since the code uses the user-input data without any sanitizing, users could inject javascript code to perform XSS. Hence validating the user-input could resolve the issue.

💻 Technical Description *

I used the DOM-Purify library to escape the unsanitized code. The fix for a different functionality was already implemented on the same package (#1). This fix is an extension to it.

🐛 Proof of Concept (PoC) *

npm install -g hexo
cd ~/
hexo init my-blog
cd my-blog
npm install
npm install --save hexo-admin
hexo server -d

Open http://localhost:4000/admin/, click on create new post and provide this payload: "><img src=x onerror=alert("XSS")>
PoC from issue: https://github.com/jaredly/hexo-admin/files/3077011/PLUGIN.Hexo-admin-XSS-PoC.zip

🔥 Proof of Fix (PoF) *

the input will be sanitized after passing through DOMPurity function, and no XSS will be triggered.