Stored XSS on forum

[delyura]

Hello, we found the stored xss on forum.
Tested on latest version 0.9.20.
Poc:

1. Create new topic with poll
   
2. XSS execute
   

[Alex300]

This thing is available only to administrators. This is related to the HTML Purifier settings. Administrators have more permissions than regular users.

It is needed to disable JavaScript in HTMLPurifier somehow for admins too.

[Alex300]

<script> tags are disabled in HTMLPurifier for admins too

[delyura]

<script> tags are disabled in HTMLPurifier for admins too

Creating blacklists is not best practice, you should use whitelist. For example, you disable the <script> tag, but the payload <img src=x onerror=alert(1)> will work.
For a comprehensive list, check out the DOMPurify allowlist.

[Alex300]

Are you suggesting to make a whitelist with all possible valid options, except for the <script> tag :)?

but the payload <img src=x onerror=alert(1)>

Really? I can't reproduce this case.

Moreover, this situation is only possible if administrator will save text with the XSS script. Regular users has more stricter HTMLPurifier settings.

[Cristian-Bejan]

Are you suggesting to make a whitelist with all possible valid options, except for the <script> tag :)?

but the payload <img src=x onerror=alert(1)>

Really? I can't reproduce this case.

Moreover, this situation is only possible if administrator will save text with the XSS script. Regular users has more stricter HTMLPurifier settings.

He is saying to only allow (whitelist) e.g. plain text. Thus you will automatically reject everything else.

[Alex300]

I understood, but in this case it is needed all options from HTMLPurifier default policy except JS tag and attributes )