Arbitrary Same-Origin Stored XSS on React + HTML Outputs

[bliutech]

Initially disclosed to @mizlan privately. Opening this issue for easier tracking and documentation.

Vulnerability

On https://editor.uclaacm.com, there is an arbitrary Same-Origin Stored XSS for outputs of the editor specifically for both React & HTML. The issue arrises from lack of sandboxing of the output while using srcdoc causing the embedded content to be on the same origin as the editor (source code). The impact could be that an adversary is able to share a page with a payload which could exfiltrate private data about a user or lead to arbitrary writes or downloads.

POC

React:

HTML:

Fix

The solution to this is to introduce the sandbox property to the output iframe. This can be done in the following source code with a behavior of sandbox="allow-scripts allow-modals". This would allow many of the current features to be maintained while allowing resources to be isolated by the Same-Origin Policy.

[mizlan]

What are some tests I can do after a fix to ensure I've resolved the problem? @bliutech

Is it enough to check the document.domain property?

[bliutech]

Yes. If the origins are not the same, then the Same-Origin Policy applies which should address this issue. 👍