Plume icon indicating copy to clipboard operation
Plume copied to clipboard

Published 20 hours ago verified publisher icon Plume-org

[Vulnerability] Stored XSS via init_editor

Open spaceraccoon opened this issue 2 years ago • 2 comments

Hi,

There is a stored XSS caused be the conversion of a blog post's contents from the classic editor to the new editor. When clicking the button to switch to the new editor, the code at editor.rs (https://github.com/Plume-org/Plume/blob/97cbe7f4461bcd072d27364809092aa3d80be32f/plume-front/src/editor.rs#L383-L401) uses the WebAssembly-JS bridge to run content.set_inner_html(&content_val); using the post's text. If the text contains HTML tags like <img src=x onerror=alert()>, an XSS will occur.

  1. In a Plume instance, create a post draft in a blog using the classic editor with the contents <img src=x onerror=alert()>.
  2. Autosave.
  3. Switch to the new editor. An alert box will pop.

To fix this, you should use content.set_inner_text(&content_val); instead.

  • Plume version: 0.7.2
  • Operating system:
  • Web Browser: Safari

spaceraccoon avatar Mar 12 '23 16:03 spaceraccoon

that vulnerability is currently not triggerable in anyway that's actually useful to an attacker that I can think of, but it will be when #368 gets implemented.

I don't think set_inner_text would do the trick, you are supposed to be able to insert (a safe subset of) html in a blog post. What should be done is the same kind of sanitization that's done when publishing.

trinity-1686a avatar Mar 13 '23 12:03 trinity-1686a

Makes sense, I saw in the UI what seemed like possible shared editing features.

I recommend DOMPurify to do the sanitization since it's the most robust whitelisting solution IMO!

spaceraccoon avatar Mar 13 '23 12:03 spaceraccoon