Extendible-BBCode-Parser Not escaping " to " in process function

Not escaping " to " in process function

Open termermc opened this issue 4 years ago • 1 comments

The process function used for sanitizing input does not process " and therefore in some cases (especially with custom tags) cause possibly XSS vulnerabilities. For example, if I created a tag that began with <img src="/myimage.png" title=" and then ended with " />, the user could input " onerror="alert('malicious javascript')" href=" and execute malicious JS. This does not seem to affect any of the default tags provided with XBBCode-Parser, but it's a huge security hole that's not obvious to people creating their own tags. I suggest that " be escaped to "", along with 'being escaped to'(in case the developer used'instead of"`).

Thanks

Aug 20 '20 20:08 termermc

you probably want to call this function at the begin of the process

    function securityFixes(text) {
        return text
            .replaceAll("'", '&quot;')
            .replaceAll('"', '&apos;')
            .replaceAll(';', '&#59;');
    }

Semicolon got added in case someone wants to break out of style settings somewhen.

Jan 20 '23 15:01 Merulast

Extendible-BBCode-Parser Extendible-BBCode-Parser copied to clipboard

Not escaping " to &quot; in process function

Extendible-BBCode-Parser
Extendible-BBCode-Parser copied to clipboard

Not escaping " to " in process function