Reflected XSS in Document Viewer (Text)

[johnconnor-sec]

Describe the bug Reflected XSS is possible if script is uploaded in JSON data.

To Reproduce Steps to reproduce the behavior:

1. Upload a JSON file with simple XSS script <img="" onerror=alert("hi")>
2. Process the document
3. Go to Documents -> click on uploaded JSON -> click on [Text] option
4. See reflected XSS alert

Screenshots

This shows no response from the payload before clicking to the page that contains it.

After clicking to the page with the payload, an alert is received.

The payload is not shown (script tags not escaped).

When searched, the script is visible.

Desktop:

Default docker-compose.yml template from the Installation page. Nothing was altered.

Additional context I have not attempted further exploitation

[pirhoo]

Thanks! This is a serious issue, we're gonna have a look!

[pirhoo]

@johnconnor-sec would you be able to share this JSON file with us? I tried to reproduce but with no lucks so far :/

[johnconnor-sec]

I would share the JSON file, except it is download of my OpenAI data (the full conversations.json). I was messing around and some of the XSS scripts it had produced poped in the application.

I apologize for the late reply. There was a death in the family recently.

I have not been able to reproduce this since last contact. I should have taken better notes. I will continue to be in contact if I am able to reproduce this.

[johnconnor-sec]

@pirhoo I believe I have narrowed down the problem. The issue is stemming from the Sentence Case plugin. I'm including the simple test I used and a video.

    ```
    "`<img src='' onerror=alert('hi')>`"
    ```

https://github.com/user-attachments/assets/5676bd5d-f65b-4308-8d6b-d9d332d4fde8

I've created an issue for Sentence Case here with remediation steps.

[pirhoo]

Hello John, I'm sorry to hear about your loss! Thanks for taking the time to send us additional information. We will try to resolve this soon.