Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Stored XSS in User Instructions Widget #3025

Closed
wjmccann opened this issue May 17, 2020 · 3 comments
Closed

Stored XSS in User Instructions Widget #3025

wjmccann opened this issue May 17, 2020 · 3 comments

Comments

@wjmccann
Copy link

wjmccann commented May 17, 2020

Version: 1.4

Within the Edit User Instructions field where you can enter source code you are able to generate scripting that then executes in the user's browser when they click on the instructions page.

POC:

<body onload=alert(1)></body>

Additionally,
<a href=# onmouseover=alert(1)>Text</a>
will also execute scripting in the browser.

POC video is available here: https://youtu.be/SpFmM03Jl40

@galaktipus
Copy link

Any commit fixing the issue?

@GaryAllan
Copy link
Collaborator

@galaktipus
HTML is allowed in the User Instructions field so <script> is implicitly permitted.

This isn't a bug/issue, this is a feature request to limit the User Instructions field to a safe(r) subset of HTML (if such a thing actually exists!)

The ticket doesn't state why this potential XSS is an issue. An adversary would require admin rights to edit the User Instructions field and can therefore already perform all actions in the application.

@GaryAllan
Copy link
Collaborator

The code did attempt to remove <script> tags so I've updated with a more robust DOM parser.

$instructions->instructions = str_replace("<script", "<div class='error'><xmp><script", $instructions->instructions);
$instructions->instructions = str_replace("</script>", "</script></xmp></div>", $instructions->instructions);
preg_replace('#<script(.*?)>(.*?)</script>#is', '', $_POST['instructions']);

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

3 participants