render_editorjs icon indicating copy to clipboard operation
render_editorjs copied to clipboard
verified publisher icon ceritium

XSS Vulnerability in links and other tools

Open mkskovalev opened this issue 1 year ago • 0 comments

I've identified a potential XSS vulnerability in how render_editorjs handles links and possibly other tools, where JavaScript can be injected via the href attribute. Specifically, links with the javascript: protocol, such as:

<a href="javascript:alert('XSS')">Click me</a>

can be used to inject and execute harmful code. This vulnerability may not only affect inline link inserts, but also other tools that handle user input containing links.

Example of the Problem

If a user inputs a link like:

javascript:alert('XSS')

and this data is passed through Editor.js without proper sanitization, the resulting rendered content may allow for the execution of harmful JavaScript code.

Proposed Solution

I am currently mitigating this in my application using js-xss to sanitize the content before rendering. Below is the approach I have implemented using a Stimulus controller to sanitize the output from Editor.js before saving it:

onChange: () => {
  this.editor.save().then((outputData) => {
    const sanitizedData = this.sanitizeOutput(outputData);
    this.inputTarget.value = JSON.stringify(sanitizedData);
  }).catch((error) => {
    console.log('Saving failed: ', error);
  });
},

sanitizeOutput(outputData) {
  const xssOptions = {
    whiteList: {
      a: ['href', 'title', 'target'],
      b: [],
      i: [],
      p: [],
      h2: [],
    },
    stripIgnoreTag: true,
    stripIgnoreTagBody: ['script'],
  };

  outputData.blocks.forEach(block => {
    if (block.data && block.data.text) {
      block.data.text = filterXSS(block.data.text, xssOptions);
    }
  });

  return outputData;
}

Suggestion for a Built-In Solution

I believe that integrating a similar sanitization mechanism directly into the rendering layer of render_editorjs would be a great improvement. By ensuring all user-generated content (especially links) is properly sanitized before rendering, you can help prevent potential XSS vulnerabilities across all tools, not just inline links.

Summary

I suggest incorporating a built-in mechanism to sanitize links and other potentially vulnerable content at the rendering stage. This would provide better security coverage for users of the library, protecting against common XSS attacks.

Thank you for considering this issue! If needed, I can provide further details or assist with implementation.

mkskovalev avatar Sep 16 '24 09:09 mkskovalev