Skip to content

[Vulnerability] Stored XSS via init_editor #1095

New issue
New issue
Open
Open
[Vulnerability] Stored XSS via init_editor#1095
Labels
A: SecurityC: BugSomething isn't working
@spaceraccoon

Description

@spaceraccoon
spaceraccoon
opened on Mar 12, 2023

Hi,

There is a stored XSS caused be the conversion of a blog post's contents from the classic editor to the new editor. When clicking the button to switch to the new editor, the code at editor.rs (

Plume/plume-front/src/editor.rs

Lines 383 to 401 in 97cbe7f

let content_val = get_elt_value("editor-content");
// And pre-fill the new editor with this values
let title = init_widget(&ed, "h1", i18n!(CATALOG, "Title"), title_val, true)?;
let subtitle = init_widget(
&ed,
"h2",
i18n!(CATALOG, "Subtitle, or summary"),
subtitle_val,
true,
)?;
let content = init_widget(
&ed,
"article",
i18n!(CATALOG, "Write your article here. Markdown is supported."),
content_val.clone(),
false,
)?;
if !content_val.is_empty() {
content.set_inner_html(&content_val);
) uses the WebAssembly-JS bridge to run content.set_inner_html(&content_val); using the post's text. If the text contains HTML tags like <img src=x onerror=alert()>, an XSS will occur.

  1. In a Plume instance, create a post draft in a blog using the classic editor with the contents <img src=x onerror=alert()>.
  2. Autosave.
  3. Switch to the new editor. An alert box will pop.

To fix this, you should use content.set_inner_text(&content_val); instead.

  • Plume version: 0.7.2
  • Operating system:
  • Web Browser: Safari

Metadata

Metadata

Assignees

No one assigned

    Labels

    A: SecurityC: BugSomething isn't working

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions