XSS Security Issue #3558
Comments
|
This was previously disclosed under https://github.com/quilljs/quill/issues/3273, but unfortunately that appears to have been deleted or inaccessible at the moment |
|
I'm not sure that this is an issue. The only case I can imagine, is that you have no control on the backend, and you are asking text from an external API that might contain an exploit, and even then, only a client that could remove the check from the frontend code would be affected. Meaning the hacker would hack themself ? I'm maybe wrong, but I don't see the problem here that can't be fixed by respecting some basic standard security coding behaviors . |
|
Thank you for your response. The way this works is not the hacker hacking themselves: since this is stored XSS, not reflected XSS, this is an issue that affects other users without needing any action on behalf of users and without intercepting their traffic. It is more severe than reflected XSS. The interception proxy is used by the attacker locally in order to bypass clientside protections against storing the XSS in the first place. It is important to have layers of security, in case validation is bypassed on the backend OR the frontend. In general, validation works best went it is done in both client and server side, and using a library that introduces a vulnerability while relying on a backend filter only is only a bandaid fix. We would never rely only on the security of a 3rd party application, but it is best to report exploits directly caused by them and fix them at the source. There must already be some XSS filtering in Quill because certain types of XSS payloads don't work in Quill. Perhaps the XSS filtering behavior that would fix this one can be added there? Because of the nature of what WYSIWYG editors do (processing HTML tags), other WYSIWYG editors have had this same issue that they've released security patches for. For example, consider this very similar stored XSS issue in CKEditor, which has a great explanation here: https://checkmarx.com/blog/cve-2021-33829-stored-xss-vulnerability-discovered-in-ckeditor4-affects-widely-used-cms/ Additionally, CKEditor provided a user setting to disallow scripts, which also solved the issue. If you'd like I can try to find more open source examples of JavaScript libraries (in particular, WYSIWYG editors) fixing XSS issues, to use as a guide. I hope this information helps, please feel free to reach out. |
|
Additionally, for an overview of this type of security issue, here are some OWASP resources about Injection which includes XSS: https://owasp.org/Top10/A03_2021-Injection/ From a more technical standpoint: input from the user should be validated using a white-listing approach so only characters expected to be found are included in values. User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including <>” ‘ and =, should be replaced with the corresponding HTML entities (< >..etc). |
|
Hello - Any updates on this? Has there been a security patch released for it to include the validation code mentioned above? Thanks |
|
If you are not using Quill Deltas with You clearly do not understand and have misused quill editor. |
|
Quill 2.0 has been released (announcement post) with many changes and fixes. If this is still an issue please create a new issue after reviewing our updated Contributing guide 🙏 |
Please describe the a concise description and fill out the details below. It will help others efficiently understand your request and get to an answer instead of repeated back and forth. Providing a minimal, complete and verifiable example will further increase your chances that someone can help.
Steps for Reproduction
Expected behavior:
Actual behavior:
Platforms:
This works on all browsers and operating systems
Version:
1.3.7
The text was updated successfully, but these errors were encountered: