Stored Cross-site Scripting (XSS)

[prodigysml]

Issue Summary

Stored Cross-site Scripting (XSS) in page editor causing any author to get arbitrary javascript execution on the any viewer's browser.

Steps to Reproduce

Tell us how to replicate the problem.

1. Log in to a user with writer permissions
2. Choose to edit a blog post
3. Choose to embed a resource. A side panel will appear asking you for code.
4. Enter the following payload in the side panel: <IFRAME SRC="javascript:alert(1);"></IFRAME>, and save the blog.
5. View the blog and observe an alert box pop up.

Additional info

• Leafpub version: 1.2.0-beta6
• PHP version: 7.0
• Affected browsers: All that can run javascript
• Operating system: Ubuntu

[karsasmus]

I don't understand your point. You'll be able to embed an iframe with javascript on your own site? Or a person you've allowed to write on your site is able to do that?

[prodigysml]

Yes a person you have been able to write on your site is able to do that. The idea is, this can be used for denying service to other users and hijack other user's sessions by stealing their session tokens (as HTTPOnly is not set on them).

[karsasmus]

Then you should choose your writers wisely.