outwiker icon indicating copy to clipboard operation
outwiker copied to clipboard

Published 20 hours ago verified publisher icon Jenyay

Code Injection

Open InitRoot opened this issue 5 years ago • 2 comments

The application does not properly comment out the following code injection:

@@javascript:"/'/`/--><html " onmouseover=/<svg/*/onload=alert()//>@@

The above still provides XSS execution as shown on the picture below: https://i.imgur.com/nvSl2Z7.png

InitRoot avatar Feb 25 '19 11:02 InitRoot

Please write what exactly the error is. What result do you expect to see, and what happens?

Jenyay avatar Jan 12 '21 10:01 Jenyay

The application doesn't properly sanitize user input as a result its possible to perform client-side attacks through the Preview function.

The issue is that the Wiki Editor function whenever HTML code is submitted directly submits it as HTML. Such input should be sanitised and only allow code to be ingested if within the code formatting. Example here of a simple javascript code, however, wrapped properly.

image

Even when wrapped the code gets ingested as a payload and executed resulting in client-side code execution. Here is the HTML view of the above.

image

The expectation is that any code entered using the code block function, will result in the code being sanitized and not ingested by the underlying editor.

image

Then to follow on this. Even injecting the code without wrapping it in the code blocks results in the same issue. Example below:

image image

Also results in code execution: image

Both of the above can be done by simply ingesting the following onto the wiki editor:

<script>alert()</script>

I hope this clears it up.

InitRoot avatar Jan 21 '21 15:01 InitRoot