You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
There is a stored XSS caused be the conversion of a blog post's contents from the classic editor to the new editor. When clicking the button to switch to the new editor, the code at editor.rs (
let content_val = get_elt_value("editor-content");
// And pre-fill the new editor with this values
let title = init_widget(&ed,"h1",i18n!(CATALOG,"Title"), title_val,true)?;
let subtitle = init_widget(
&ed,
"h2",
i18n!(CATALOG,"Subtitle, or summary"),
subtitle_val,
true,
)?;
let content = init_widget(
&ed,
"article",
i18n!(CATALOG,"Write your article here. Markdown is supported."),
content_val.clone(),
false,
)?;
if !content_val.is_empty(){
content.set_inner_html(&content_val);
) uses the WebAssembly-JS bridge to run content.set_inner_html(&content_val); using the post's text. If the text contains HTML tags like <img src=x onerror=alert()>, an XSS will occur.
In a Plume instance, create a post draft in a blog using the classic editor with the contents <img src=x onerror=alert()>.
Autosave.
Switch to the new editor. An alert box will pop.
To fix this, you should use content.set_inner_text(&content_val); instead.
that vulnerability is currently not triggerable in anyway that's actually useful to an attacker that I can think of, but it will be when #368 gets implemented.
I don't think set_inner_text would do the trick, you are supposed to be able to insert (a safe subset of) html in a blog post. What should be done is the same kind of sanitization that's done when publishing.
Hi,
There is a stored XSS caused be the conversion of a blog post's contents from the classic editor to the new editor. When clicking the button to switch to the new editor, the code at
editor.rs
(Plume/plume-front/src/editor.rs
Lines 383 to 401 in 97cbe7f
content.set_inner_html(&content_val);
using the post's text. If the text contains HTML tags like<img src=x onerror=alert()>
, an XSS will occur.<img src=x onerror=alert()>
.To fix this, you should use
content.set_inner_text(&content_val);
instead.The text was updated successfully, but these errors were encountered: