Stored Cross-site Scripting (XSS) in page creation

[prodigysml]

Q	A
Bug?	Yes
New Feature?	no
Sulu Version	1.6.6
Browser Version	Chrome

Actual Behavior

Sulu saves the code unsanitised and allows arbitrary execution of javascript.

Expected Behavior

Sulu should remove the javascript payload as it does for most others.

Steps to Reproduce

1. Log in as a user with page editing permissions
2. Choose to edit an article
3. Add a new block with type text.
4. Click the source code button on the editor and enter the following code: <p><iframe src="javascript:alert(1)"></iframe></p>
5. Save the code

Possible Solutions

Check iframe src prior to adding to the page.

[wachterjohannes]

Thanks for the report :) but we explicitly allow all the HTML tags and attributes in the editor. You can decide if you want to render the content in raw (twig filter). We do this because we don't see the big problem here because the content-manager (logged in system user) should be "competent" enough to avoid it if he doesn't want it.

But we are planning in a future release to make this behavior configurable - there are no concrete plans currently.

/cc @chirimoya @danrot please add your thoughts about this topic

[danrot]

I also think that this is the job of the template developer. Especially because I have already seen textareas being used to copy small javascript snippets (e.g. Youtube embed codes).

[floatingbits]

I've been running into issues because the code is not only rendered unsanitized on the webpage/preview, but also in the block preview in the actual edit page.
It's quite disturbing when you want to paste one of the new (?) responsive vimeo.com embed codes which load a js file which seems to break sulus backend js up to the point that you aren't able to save the page anymore...
But then, I'm on 1.4, maybe 1.6 has got a different behaviour?

[alexander-schranz]

@floatingbits only the ckeditor run JS codes but there it is run inside an iframe and should not crash any backend components. and for embed codes its recommend use textareas and not texteditors. So update to 1.6 should fix it for textareas.

[floatingbits]

Hmmm. I do use a textarea. The html is output without any sanitizing to the block preview.
The code that breaks the whole edit page is a simple vimeo embed code featuring a script tag:

<div style="padding:56.25% 0 0 0;position:relative;"><iframe src="https://player.vimeo.com/video/267254114?title=0&byline=0&portrait=0" style="position:absolute;top:0;left:0;width:100%;height:100%;" frameborder="0" webkitallowfullscreen mozallowfullscreen allowfullscreen></iframe></div><script src="https://player.vimeo.com/api/player.js"></script>

My blocks (without the breaking script tag) look like this:

EDIT: Ahh, ok. The update to 1.6 should fix it :-)

[alexander-schranz]

for @prodigysml if you don't want to output something on the website you maybe need to create a custom twig extension using something like http://htmlpurifier.org.

@floatingbits thats good.

I will know close the issue as it seems to be fixed, else feel free to reopen it or add a comment.