HTML sanitization issue in MFM posts leading to XSS #280

New issue

Closed

opened 2022-11-15 15:35:05 +00:00 by darkkirb · 2 comments

darkkirb commented

2022-11-15 15:35:05 +00:00

Contributor

Floatinghost told me to post it here despite it being a security issue so:

I read this article on a very similar XSS attack in mastodon, which has since been fixed

MFM inputs in the form of:

<abbr title="<a href='https://blah'>:verified:</a><script>alert(1)</script>">

are being converted into

<abbr title="true" a="true" href="https://blah">:verified:&lt;/a&gt;<script>alert(1)</script>"&gt;</abbr>

which, without content security policy enabled, is an XSS.

This does not affect HTML or markdown input, which leaves the input unchanged

Floatinghost told me to post it here despite it being a security issue so: [I read this article on a very similar XSS attack in mastodon, which has since been fixed](https://portswigger.net/research/stealing-passwords-from-infosec-mastodon-without-bypassing-csp) MFM inputs in the form of: ```html <abbr title="<a href='https://blah'>:verified:</a><script>alert(1)</script>"> ``` are being converted into ```html <abbr title="true" a="true" href="https://blah">:verified:</a><script>alert(1)</script>"></abbr> ``` which, without content security policy enabled, is an XSS. This does not affect HTML or markdown input, which leaves the input unchanged

floatingghost commented

2022-11-15 15:56:32 +00:00

Owner

would have been weird if this was unique to misskey markdown, since that uses a combination of markdown > html sanitisers

luckily this was purely a FE issue

fixed via 169282ea42a85d0f9da51b206a34210ceca6b99e

would have been weird if this was unique to misskey markdown, since that uses a combination of markdown > html sanitisers luckily this was purely a FE issue fixed via 169282ea42a85d0f9da51b206a34210ceca6b99e

floatingghost commented

2022-11-15 16:08:31 +00:00

Owner

aaaand merged into stable

thanks a lot!

aaaand merged into stable thanks a lot!