Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Code blocks are not sanitized during excerpt generation. Unintended script execution possible. #17058

Closed
1 task done
cathysarisky opened this issue Jun 19, 2023 · 2 comments · Fixed by #17190
Closed
1 task done

Code blocks are not sanitized during excerpt generation. Unintended script execution possible. #17058

cathysarisky opened this issue Jun 19, 2023 · 2 comments · Fixed by #17190
Labels
bug [triage] something behaving unexpectedly

Comments

@cathysarisky
Copy link
Contributor

Issue Summary

If the user creates a code block in the Ghost editor (old or beta version) at the very start of the post, and does not set a custom_excerpt, the excerpt generated can lead to unintended injection of any scripts onto the homepage.

A simple example:
Post looks like this:
image

Front page (Ruby) renders that like this:
image

[Not just a Ruby problem. Can repro in any theme with an excerpt on the index page]

Steps to Reproduce

Create a post. Start it with a code card. Start the code card with a script tag. Using a theme that displays excerpts on the front page, navigate to the front page.

Ghost Version

5.51

Node.js Version

on Ghost Pro

How did you install Ghost?

Ghost Pro

Database type

MySQL 8

Browser & OS version

Chrome, Windows 10, recent.

Relevant log / error output

see above - and yes, that shows up in my console logs!

Code of Conduct

  • I agree to be friendly and polite to people in this repository
@github-actions github-actions bot added the needs:triage [triage] this needs to be triaged by the Ghost team label Jun 19, 2023
@cathysarisky cathysarisky changed the title Unintended script running from textual code block! Code blocks are not sanitized during excerpt generation. Unintended script execution possible. Jun 19, 2023
@daniellockyer daniellockyer added the bug [triage] something behaving unexpectedly label Jun 20, 2023
@github-actions github-actions bot removed the needs:triage [triage] this needs to be triaged by the Ghost team label Jun 20, 2023
@joeldesante
Copy link
Contributor

I can confirm this bug is reproducible.

NodeJS v18
Ghost v5.53.3
Browser: Firefox 114.0.1

--

I'd like to look into fixing this if that's okay!

Screenshot 2023-07-03 at 4 39 45 PM
Screenshot 2023-07-03 at 4 43 29 PM

joeldesante added a commit to joeldesante/Ghost that referenced this issue Jul 4, 2023
@joeldesante
🐛Fixed XSS vulnerability involving post excerpts
0707fb9 
closes TryGhost#17058
Using the lodash escape function. We can avoid XSS vulnerabilities in post excerpts.
joeldesante added a commit to joeldesante/Ghost that referenced this issue Jul 4, 2023
@joeldesante
🐛Fixed XSS vulnerability involving post excerpts
d347a0a 
fixes TryGhost#17058

- Uses the lodash `escape` function.
- Avoids XSS vulnerabilities in post excerpts.
@joeldesante joeldesante mentioned this issue Jul 4, 2023
Merged
daniellockyer pushed a commit to joeldesante/Ghost that referenced this issue Jul 10, 2023
@joeldesante @daniellockyer
🐛Fixed XSS vulnerability involving post excerpts
a888804 
fixes TryGhost#17058

- Uses the lodash `escape` function.
- Avoids XSS vulnerabilities in post excerpts.
@cathysarisky
Copy link
Contributor Author

Just a note that this bug is still live. Just tested on Source. The excerpt is correctly escaped on the individual post page, but the index page can still be injected.

9larsons pushed a commit that referenced this issue Dec 13, 2023
@joeldesante
🐛Fixed XSS vulnerability involving post excerpts (#17190)
dc7e2b9 
closes #17058

- Uses the lodash `escape` function.
- Avoids XSS vulnerabilities in post excerpts.
yunaycompany pushed a commit to yunaycompany/Ghost that referenced this issue Dec 14, 2023
@joeldesante @yunaycompany
🐛Fixed XSS vulnerability involving post excerpts (TryGhost#17190)
64d6771 
closes TryGhost#17058

- Uses the lodash `escape` function.
- Avoids XSS vulnerabilities in post excerpts.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug [triage] something behaving unexpectedly
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

🐛Fixed XSS vulnerability involving post excerpts joeldesante/Ghost
3 participants
@daniellockyer @joeldesante @cathysarisky