Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Stored Cross-site Scripting Bypassing TinyMCE Editor #531
Description of the problem
For git/zip installation method:
Thank you for your report.
Also, the example you give doesn't work in my hands. The onerror part is stripped. I used tamper data firefox addon to edit the POST request before submitting it.
I tried looking at burpsuite but I'm not too keen on installing their binary blob on my system…
Another issue to read: #227
I'll work on removing all inline JS :)
There is no need to install burpsuite (but just as an FYI, it is an industry standard for web application testing). A CSP fix should work well. Maybe pairing it with the
Finally the easiest fix for a vulnerability like this in my opinion is always HTML encode, however I can understand that may be hard in some cases. Hope that helps!
Now the whole app is working with a restrictive CSP (without unsafe-inline and without unsafe-eval).
Please do not hesitate to tell me if you find other vulns. The app should be audited in the next weeks (or months) by paid professional anyway, but the more eyes, the better ;)
Closing this as inline JS will not be executed by browsers anymore.