-
Notifications
You must be signed in to change notification settings - Fork 126
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Vulnerability] Stored XSS via init_editor #1095
Comments
that vulnerability is currently not triggerable in anyway that's actually useful to an attacker that I can think of, but it will be when #368 gets implemented. I don't think |
Makes sense, I saw in the UI what seemed like possible shared editing features. I recommend DOMPurify to do the sanitization since it's the most robust whitelisting solution IMO! |
…1095) from once_cell-1.11.0 into main Reviewed-on: https://git.joinplu.me/Plume/Plume/pulls/1095
Hi,
There is a stored XSS caused be the conversion of a blog post's contents from the classic editor to the new editor. When clicking the button to switch to the new editor, the code at
editor.rs
(Plume/plume-front/src/editor.rs
Lines 383 to 401 in 97cbe7f
content.set_inner_html(&content_val);
using the post's text. If the text contains HTML tags like<img src=x onerror=alert()>
, an XSS will occur.<img src=x onerror=alert()>
.To fix this, you should use
content.set_inner_text(&content_val);
instead.The text was updated successfully, but these errors were encountered: