Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Possible XSS bug #1531

Open
billford opened this issue Jul 10, 2019 · 5 comments

Comments

@billford
Copy link

commented Jul 10, 2019

Describe the bug
Create or edit a page
Steps To Reproduce
Steps to reproduce the behavior:

  1. create or edit a page
  2. add some text hit enter
  3. add malicious or even innocuous javascript
  4. you get the pop up on save or any refresh.

Expected behavior
This should be filtered and sanitized so it doesn't actually execute.

Screenshots
Attached
Screen Shot 2019-07-10 at 1 36 16 PM

Screen Shot 2019-07-10 at 1 36 02 PM

Your Configuration (please complete the following information):

  • Exact BookStack Version (Found in settings): BookStack v0.26.2

  • PHP Version: 7.2.19

  • Hosting Method (Nginx/Apache/Docker): Apache

Additional context
I have none.

@ssddanbrown

This comment has been minimized.

Copy link
Member

commented Jul 10, 2019

Thanks for raising this @billford. Looks like my xpath queries were a bit weak. I've applied c732970 which should cover this while increasing the range of checks in tests.

I have just deployed BookStack v0.26.3 to distribute this update.

Thanks again!

@billford

This comment has been minimized.

Copy link
Author

commented Jul 11, 2019

I don't think this is quite fixed (but this may be meant as a feature so I'm not sure)

iframe tags in the edit page still allow for XSS style entries. Interestingly enough that works on both the preview and when you save it. Screenshots attached

Screen Shot 2019-07-11 at 9 37 01 AM
Screen Shot 2019-07-11 at 9 36 50 AM

@billford

This comment has been minimized.

Copy link
Author

commented Jul 12, 2019

Mutated XSS works as well:

<a a=" but only in the editor function.

@ssddanbrown ssddanbrown reopened this Jul 15, 2019

@ssddanbrown ssddanbrown added this to the v0.27.0 milestone Jul 15, 2019

@ssddanbrown

This comment has been minimized.

Copy link
Member

commented Jul 15, 2019

Thanks for the extra finds @billford. Have marked for the next release to ensure I don't forget to patch these cases but will probably tackle sooner than that.

@ssddanbrown ssddanbrown modified the milestones: v0.27.0, v0.26.4 Aug 6, 2019

ssddanbrown added a commit that referenced this issue Aug 6, 2019
@ssddanbrown

This comment has been minimized.

Copy link
Member

commented Aug 6, 2019

I have just deployed v0.26.4 which adds extra escaping for iframes with JavaScript URL's. I also realised that iframes with base64 data URLs, that include script tags, could be used to fire JS so I also check for those.

I'm not as worried about the editor due to the lower frequency but I'll leave this open as a reminder to address it.

ssddanbrown added a commit that referenced this issue Aug 26, 2019
Made MD editor display a sandboxed iframe
- Also added escaping of srcdoc elements in escape logic.

Related to #1531
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
2 participants
You can’t perform that action at this time.