Stored XSS

[delyura]

Hello, we found the stored xss.
Tested on latest version 0.9.20.
Poc:

1. Write a DM to any user
   
2. Then read the incoming message and press "quote" to quote the message with payload. Press the button Response.
   
3. XSS execute
   

[Alex300]

Same as #1661. This thing is available only to administrators. This is related to the HTML Purifier settings. Administrators have more permissions than regular users.

It is needed to disable JavaScript in HTMLPurifier somehow for admins too.

[Alex300]

<script> tags are disabled in HTMLPurifier for admins too

[delyura]

<script> tags are disabled in HTMLPurifier for admins too

Creating blacklists is not best practice, you should use whitelist. For example, you disable the <script> tag, but the payload <img src=x onerror=alert(1)> will work.
For a comprehensive list, check out the DOMPurify allowlist.

[Alex300]

see here: #1661