django-summernote icon indicating copy to clipboard operation
django-summernote copied to clipboard

Published 20 hours ago verified publisher icon summernote

Reflected XSS into JavaScript context

Open Sinkmanu opened this issue 3 years ago • 0 comments

First of all, thanks to contribute to the world with this application.

I was testing my Django website and as I use django-summernote I performed some tests against the public URLs that there are exposed. I saw the following path:

https://site/summernote/editor/id_safe/

Looking the source code I saw the following: views.py:

         ...
        context['id_safe'] = self.kwargs['id'].replace('-', '_')
        ...

widget_iframe_editor.html:

     ...
    <script>
    initSummernote_{{ id_safe }}();
    </script>
     ...

id_safe parameter must be sanitized, because breaking out the function it is possible to run arbitrary JavaScript.

Proof of concept:

https://site/summernote/editor/foobar%20=%20alert(document.domain)/

Depending of the format should have the id_safe, we could force with a regex to have a id with an specific format and not other (it also forbid special characters that break out the expected JS and run other JS)

Sinkmanu avatar Feb 15 '22 13:02 Sinkmanu