Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Tabnabbing vulnerability in snow theme #2438

Closed
jonathanlloyd opened this issue Dec 21, 2018 · 3 comments

Comments

Projects
None yet
2 participants
@jonathanlloyd
Copy link
Contributor

commented Dec 21, 2018

Steps for Reproduction

  1. Visit https://quilljs.com/standalone/snow/
  2. Create a link to some url
  3. Click the link to get the link preview
  4. Inspect the link element

Expected behavior:
The link has the target attribute set to _blank but has no rel property. This means that documents containing untrusted links make the page they are embedded in susceptible to tabnabbing https://www.owasp.org/index.php/Reverse_Tabnabbing.

It would be expected that the rel property be set to noopener (possibly also norefferer and nofollow)

Actual behavior:
No rel property is set

Platforms:
All
Include browser, operating system and respective versions

Version:
All
Run Quill.version to find out

@jonathanlloyd

This comment has been minimized.

Copy link
Contributor Author

commented Dec 21, 2018

The issue is in quill/themes/snow.js line 72-77:

SnowTooltip.TEMPLATE = [
  '<a class="ql-preview" target="_blank" href="about:blank"></a>',
  '<input type="text" data-formula="e=mc^2" data-link="https://quilljs.com" data-video="Embed URL">',
  '<a class="ql-action"></a>',
  '<a class="ql-remove"></a>',
].join('');
@danielw93

This comment has been minimized.

Copy link

commented Jul 4, 2019

Hey @jhchen !
I just stumbled over this vulnerability while auditing our app.
The fix is merged but there doesn't seem to have been a deployment since then.

Do you have any timeline to release a bugfix version soon? Or could you create a new patch tag 1.3.7 at the mitigating commit (aceaf9f) and release a patch update?

As it is right now, this issue probably shouldn't be closed because it still requires action by the maintainer before the vulnerability is actually fixed for users.

@danielw93

This comment has been minimized.

Copy link

commented Jul 6, 2019

Hi!
I found that Jonathans fix does not completely protect quill users from tabnabbing.
I have added PR #2674 to add the rel="noopener noreferrer" attribute to anchor tags created by formats/link.js

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.