chrome-fastread icon indicating copy to clipboard operation
chrome-fastread copied to clipboard

Published 20 hours ago verified publisher icon ahrm

XSS vulnerability

Open augustozanellato opened this issue 2 years ago • 2 comments

Hi! Both this extension and firefox-fastread (which is based on this one) are vulnerable to XSS due to a mishandling of HTML entities, specifically the extension inject part of an element's .innerText in some HTML without encoding certain characters as entities, so for example if there's a &lt;script&gt; it becomes <script> after the extension processes the page.

See https://augustozanellato.github.io/FastReadXSS/poc.html for a PoC

augustozanellato avatar May 20 '22 12:05 augustozanellato

Set 'fraction of word to bold' to 0.3 to see this PoC in action (otherwise the onerror splits between o and n):

  • 0 1 1 2 0.3

johnkershaw avatar May 23 '22 18:05 johnkershaw

Would a hackish solution, such as

function purify(unsafe_str) {
      return unsafe_str
        .replace(/&/g, "&amp;")
        .replace(/</g, "&lt;")
        .replace(/>/g, "&gt;")
        .replace(/\"/g, "&quot;")
        .replace(/\'/g, "&#39;")
        .replace(/\//g, "&#x2F;");
    }

prevent XSS attack of this kind?

I tested this with the latest commit, and it seems to be a quick way around it.

Cveinnt avatar May 29 '22 09:05 Cveinnt