Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Avoid XSS when opening a broken image due to unescaped ServerError in proxy handler #1746

Merged
merged 1 commit into from Mar 13, 2023

Conversation

fguillot
Copy link
Member

Creating an RSS feed item with the inline description containing an <img> tag with a srcset attribute pointing to an invalid URL like http:a<script>alert(1)</script>, we can coerce the proxy handler into an error condition where the invalid URL is returned unescaped and in full.

This results in JavaScript execution on the Miniflux instance as soon as the user is convinced to open the broken image.

Do you follow the guidelines?

… proxy handler

Creating an RSS feed item with the inline description containing an `<img>` tag
with a `srcset` attribute pointing to an invalid URL like
`http:a<script>alert(1)</script>`, we can coerce the proxy handler into an error
condition where the invalid URL is returned unescaped and in full.

This results in JavaScript execution on the Miniflux instance as soon as the
user is convinced to open the broken image.
@fguillot fguillot merged commit eb95085 into main Mar 13, 2023
12 checks passed
@fguillot fguillot deleted the proxy_xss branch March 13, 2023 05:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

Successfully merging this pull request may close these issues.

None yet

1 participant