Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Stored XSS #1660

Closed
delyura opened this issue Aug 30, 2022 · 4 comments
Closed

Stored XSS #1660

delyura opened this issue Aug 30, 2022 · 4 comments
Assignees
Labels
Milestone

Comments

@delyura
Copy link

delyura commented Aug 30, 2022

Hello, we found the stored xss.
Tested on latest version 0.9.20.
Poc:

  1. Write a DM to any user
    Screenshot_1
  2. Then read the incoming message and press "quote" to quote the message with payload. Press the button Response.
    Screenshot_2
  3. XSS execute
    Screenshot_3
@Alex300 Alex300 self-assigned this Aug 31, 2022
@Alex300 Alex300 added this to the Siena 0.9.21 milestone Aug 31, 2022
@Alex300
Copy link
Member

Alex300 commented Sep 4, 2022

Same as #1661. This thing is available only to administrators. This is related to the HTML Purifier settings. Administrators have more permissions than regular users.

It is needed to disable JavaScript in HTMLPurifier somehow for admins too.

@Alex300 Alex300 removed the Critical label Sep 4, 2022
Alex300 added a commit that referenced this issue Sep 4, 2022
<script> tags are disabled in HTMLPurifier for admins too
@Alex300
Copy link
Member

Alex300 commented Sep 4, 2022

<script> tags are disabled in HTMLPurifier for admins too

@Alex300 Alex300 closed this as completed Sep 4, 2022
@delyura
Copy link
Author

delyura commented Sep 4, 2022

<script> tags are disabled in HTMLPurifier for admins too

Creating blacklists is not best practice, you should use whitelist. For example, you disable the <script> tag, but the payload <img src=x onerror=alert(1)> will work.
For a comprehensive list, check out the DOMPurify allowlist.

@Alex300
Copy link
Member

Alex300 commented Sep 4, 2022

see here: #1661

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

2 participants