-
-
Notifications
You must be signed in to change notification settings - Fork 10.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Code blocks are not sanitized during excerpt generation. Unintended script execution possible. #17058
Closed
1 task done
Labels
bug
[triage] something behaving unexpectedly
Comments
joeldesante
added a commit
to joeldesante/Ghost
that referenced
this issue
Jul 4, 2023
closes TryGhost#17058 Using the lodash escape function. We can avoid XSS vulnerabilities in post excerpts.
joeldesante
added a commit
to joeldesante/Ghost
that referenced
this issue
Jul 4, 2023
fixes TryGhost#17058 - Uses the lodash `escape` function. - Avoids XSS vulnerabilities in post excerpts.
daniellockyer
pushed a commit
to joeldesante/Ghost
that referenced
this issue
Jul 10, 2023
fixes TryGhost#17058 - Uses the lodash `escape` function. - Avoids XSS vulnerabilities in post excerpts.
Just a note that this bug is still live. Just tested on Source. The excerpt is correctly escaped on the individual post page, but the index page can still be injected. |
9larsons
pushed a commit
that referenced
this issue
Dec 13, 2023
closes #17058 - Uses the lodash `escape` function. - Avoids XSS vulnerabilities in post excerpts.
yunaycompany
pushed a commit
to yunaycompany/Ghost
that referenced
this issue
Dec 14, 2023
closes TryGhost#17058 - Uses the lodash `escape` function. - Avoids XSS vulnerabilities in post excerpts.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Issue Summary
If the user creates a code block in the Ghost editor (old or beta version) at the very start of the post, and does not set a custom_excerpt, the excerpt generated can lead to unintended injection of any scripts onto the homepage.
A simple example:
![image](https://private-user-images.githubusercontent.com/42299862/246860865-cfe2022b-4c11-4988-bbda-46ae0426cc00.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MjEzMTM1NDAsIm5iZiI6MTcyMTMxMzI0MCwicGF0aCI6Ii80MjI5OTg2Mi8yNDY4NjA4NjUtY2ZlMjAyMmItNGMxMS00OTg4LWJiZGEtNDZhZTA0MjZjYzAwLnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNDA3MTglMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjQwNzE4VDE0MzQwMFomWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPTY4YTdkZTI5MGIxM2VhYjg4YmM3MzUxOWFkY2VhNzhjMDBmZWFkY2FmYTY3MjdkODU3YzFhMjMyNjExZmE3MWImWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0JmFjdG9yX2lkPTAma2V5X2lkPTAmcmVwb19pZD0wIn0.lbtkdyrR0kKRdgnJrHFa3oAox7Az8FmY_ol5UiUJA7o)
Post looks like this:
Front page (Ruby) renders that like this:
![image](https://private-user-images.githubusercontent.com/42299862/246861145-e79682ca-34f2-47b8-92fc-f389713f85ae.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MjEzMTM1NDAsIm5iZiI6MTcyMTMxMzI0MCwicGF0aCI6Ii80MjI5OTg2Mi8yNDY4NjExNDUtZTc5NjgyY2EtMzRmMi00N2I4LTkyZmMtZjM4OTcxM2Y4NWFlLnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNDA3MTglMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjQwNzE4VDE0MzQwMFomWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPTkxMWFmM2YyNTU5ZjdlNDdjY2YyZDlhNzIyMGE5MWJhNTBiMmVlNWYwYWE3ZWUyMmRjNDk3ODQ2Njg3MDg5OGQmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0JmFjdG9yX2lkPTAma2V5X2lkPTAmcmVwb19pZD0wIn0.eTjKTOTpk0jaA1eX-4BhfRQKDwnLd3PGUdGTvE_LgYk)
[Not just a Ruby problem. Can repro in any theme with an excerpt on the index page]
Steps to Reproduce
Create a post. Start it with a code card. Start the code card with a script tag. Using a theme that displays excerpts on the front page, navigate to the front page.
Ghost Version
5.51
Node.js Version
on Ghost Pro
How did you install Ghost?
Ghost Pro
Database type
MySQL 8
Browser & OS version
Chrome, Windows 10, recent.
Relevant log / error output
Code of Conduct
The text was updated successfully, but these errors were encountered: