You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I've looked at the documentation to make sure the behavior isn't documented and expected.
I'm sure this is an issue with Summernote, not with my app or other dependencies (Angular, Cordova, React, etc.).
I've searched through the current issues to make sure this hasn't been reported yet.
My issue is pertinent to this repository of Summernote (jQuery), or I was unable to have my issue resolved from the relevant version I'm using, such as Angular, dJango, Rails or React. Please try your issue at the relevent repository first.
I understand that issues without interaction for more than 14 days (2 weeks), may be closed at our discretion. We do this, as sometimes issues are abandoned. We may at our discretion, add issues to the relevant project to be looked at, or for maintainers to work through as time permits. This is to help keep issues relevant to the current version of Summernote, and to reduce clutter.
I agree to follow the Code of Conduct that this project adheres to.
Steps to reproduce
Step1. Click on the "Insert Image" button within the Summernote functionality.
Step2. Select an arbitrary image and insert it.
Step3. Click on the "Code View" button.
Step4. Attempt an XSS attack by manipulating the code of the inserted image. <iframe src="data:text/html;base64,PGltZyBzcmM9MSBvbmVycm9yPXdpbmRvdy5vcGVuKCdodHRwczovL3d3dy5nb29nbGUuY29tJyk+">
Step5. Confirm that the Base64-encoded XSS attack code is indeed stored and operational, demonstrating its functionality.
Expected behavior
[Expected behavior]
I expected that upon following the outlined steps, the Summernote functionality would insert the selected image as intended. Additionally, I anticipated that the Code View feature would allow for the manipulation of the inserted image's code. However, I did not expect the system to accept and execute the Base64-encoded XSS attack code, as this would indicate a vulnerability in the application's security measures.
Current behavior
[Current behavior]
After following the specified steps, the Summernote functionality successfully inserts the selected image into the editor. When switching to Code View and attempting to manipulate the code of the inserted image with Base64-encoded XSS attack code, the application does not prevent the insertion or execution of the malicious code. This behavior was observed in version 0.8.18 during my demonstration. Furthermore, similar findings were confirmed in a different environment running version 0.8.20, indicating that the vulnerability persists across multiple versions. This poses a serious security risk as it allows for potential exploitation of cross-site scripting vulnerabilities.
I think the html code should be cleaned and filtered on the server side.
I use jsoup in java with a whitelist for this purpose.
For PHP there are similar extensions and libraries.
For your example, you could also use F12 and inject an alert without any summernote.
The attack should not be reflected but of course you can inject anything in your browser by yourself.
Checklist
Steps to reproduce
Step1. Click on the "Insert Image" button within the Summernote functionality.
Step2. Select an arbitrary image and insert it.
Step3. Click on the "Code View" button.
Step4. Attempt an XSS attack by manipulating the code of the inserted image.
<iframe src="data:text/html;base64,PGltZyBzcmM9MSBvbmVycm9yPXdpbmRvdy5vcGVuKCdodHRwczovL3d3dy5nb29nbGUuY29tJyk+">
Step5. Confirm that the Base64-encoded XSS attack code is indeed stored and operational, demonstrating its functionality.
Expected behavior
[Expected behavior]
I expected that upon following the outlined steps, the Summernote functionality would insert the selected image as intended. Additionally, I anticipated that the Code View feature would allow for the manipulation of the inserted image's code. However, I did not expect the system to accept and execute the Base64-encoded XSS attack code, as this would indicate a vulnerability in the application's security measures.
Current behavior
[Current behavior]
After following the specified steps, the Summernote functionality successfully inserts the selected image into the editor. When switching to Code View and attempting to manipulate the code of the inserted image with Base64-encoded XSS attack code, the application does not prevent the insertion or execution of the malicious code. This behavior was observed in version 0.8.18 during my demonstration. Furthermore, similar findings were confirmed in a different environment running version 0.8.20, indicating that the vulnerability persists across multiple versions. This poses a serious security risk as it allows for potential exploitation of cross-site scripting vulnerabilities.
2024-05-09.23.35.24.mp4
Minimal example reproducing the issue
<iframe src="data:text/html;base64,PGltZyBzcmM9MSBvbmVycm9yPXdpbmRvdy5vcGVuKCdodHRwczovL3d3dy5nb29nbGUuY29tJyk+">Environment
The text was updated successfully, but these errors were encountered: