-
-
Notifications
You must be signed in to change notification settings - Fork 2.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. Weβll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security Fix for Cross Site Scripting - huntr.dev #3782
base: develop
Are you sure you want to change the base?
Conversation
Fixed Cross Site Scripting (XSS) in editor
Switching between the regular editor and the Code View back and forth escapes the Code View again and again for me: Added a different regex on |
Co-authored-by: R2116 <15418932+R2116@users.noreply.github.com>
Co-authored-by: R2116 <15418932+R2116@users.noreply.github.com>
Co-authored-by: R2116 <15418932+R2116@users.noreply.github.com>
@R2116 - the requested changes have been made! Thanks! π° |
@lqez @easylogic @hackerwins bump |
@R2116 @lqez @easylogic @hackerwins - any updates on this? Cheers! π° |
@R2116 The changes to fix this vulnerability have been made to the wrong files, please do NOT edit the files in the dist/ folder, but rather the relevant files within the src/ folder, thank you. |
I've just been reviewing this patch, there is an issue where the > and < in element tags are being converted, so for e.g. images are being displayed as |
Um, I remember in the settings there's options to filter the codeview data, which has options that this PR is trying to fix, and works. codeviewFilter: false,
codeviewFilterRegex: /<\/*(?:applet|b(?:ase|gsound|link)|embed|frame(?:set)?|ilayer|l(?:ayer|ink)|meta|object|s(?:cript|tyle)|t(?:itle|extarea)|xml)[^>]*?>/gi,
codeviewIframeFilter: true,
codeviewIframeWhitelistSrc: [],
codeviewIframeWhitelistSrcBase: [
'www.youtube.com',
'www.youtube-nocookie.com',
'www.facebook.com',
'vine.co',
'instagram.com',
'player.vimeo.com',
'www.dailymotion.com',
'player.youku.com',
'v.qq.com',
], |
@ivanovych666 I agree, except for the XSS issues while using the editor in the Browser, sanitising data before editing and database/other storage should take place. Similar options like the codeview options should be implemented, I could do some changes as an experiment and see how that performs, I am mainly waiting through the discussion to determine what our best options for this are. |
Looking at the changes in this PR, it looks like another PR should probably be made to reflect the changes without the |
I'm actively dealing with a XSS attack in our app using summernote. I'd like to ensure this test case is covered for pasting into code view: |
@nuclearghost you can insert this into dev tools console and you will have the same result. This is not an issue. The issue if this script can be executed for another user. But this is not a WYSIWYG editor issue, it is up to developer to properly escape values before displaying to users or storring somewhere. BTW, we use this editor on a project and successfully passed a professional security audit without any issues. So it is up to you of how to use it. But I'm agree, that the ability to filter values immediatelly will be an awesome feature. |
Thanks for the feedback @ivanovych666 . We're probably outside the scope for this PR, but this seems to be the active XSS thread. I understand there are different type of attacks for XSS. There's stored XSS where I totally agree it's not the responsibility of the WYSIWYG editor. I'm also concerned about the case where a non-technical user pastes in some HTML into the code view and then views it in the normal editor mode. I'll attempt to add a callback where this can be handled in a separate PR. |
I managed to somewhat fix it by having my code like this:
This still doesn't fix it if you try type PHP Tidy might be worth looking into: I found a solution by using
The |
I think we need a solution that doesn't require external libraries, we need to consider that not everyone uses PHP. |
With Javascript you can also use a heredoc like this:
|
for some people looking this on php, i was using some regex to find scripts tags and codes inside and delete them...
|
A better option when outputting to the browser using PHP, is to use a proven library like HTMLPurifier, it's easy, and properly sanitizes the output, esp. for XSS vulnerabilities. However, as I stated above, we really need a solution that works inside Summernote to be able to cover every programming language scenario, and mainly as new coders often lack the knowledge to sanitize data properly. |
It's been brought to my attention, that the dropzone is a potential XSS security risk, with the reporter indicating the following like could be the culprit: summernote/src/js/module/Dropzone.js Line 107 in a8ebe18
I don't think it's the code in the line per see, but rather that that function doesn't sanitize the data before calling the insertNode for the item. I think we need to revisit this issue, and possibly create a working sanitation function that can be called to sanitize data before insertion. |
I am the reporter for this issue. |
summernote/src/js/module/Dropzone.js Line 105 in a8ebe18
summernote/src/js/core/range.js Line 573 in 7ab83a1
markup argument is the culprit.
|
Hello, Just bumping this as it's still ongoing issue Snyk is detecting in our repositories: |
That's ok, no one has come up with a workable solution so far. Been a while too. |
https://huntr.dev/app/users/Asjidkalam has fixed the Cross Site Scripting vulnerability π¨. Asjidkalam has been awarded $25 for fixing the vulnerability through the huntr bug bounty program π΅. Think you could fix a vulnerability like this?
Get involved at https://huntr.dev/
Q | A
Version Affected | ALL
Bug Fix | YES
Original Pull Request | 418sec#1
GitHub Issue URL | #3719
Vulnerability README | https://github.com/418sec/huntr/blob/master/bounties/npm/summernote/1/README.md
User Comments:
π Metadata *
Please enter the direct URL for this bounty on huntr.dev. This is compulsory and will help us process your bounty submission quicker.
Bounty URL: https://www.huntr.dev/bounties/1-npm-summernote
βοΈ Abstract
Affected versions of this package are vulnerable to Cross-site Scripting (XSS). It is possible to inject JavaScript with object decoding such as
<script>alert(1)</script>
resulting in XSS. The fix is to sanitize the input on the package before further processing/executing.β Technical description
Issue: #3719
From the issue, the package doesn't sanitize any HTML entities thrown at it. It is unsafe and causes reflected XSS in all cases. However, filtering out the tags which causes XSS from the DOM input can mitigate the issue.
The Fix is implemented in the
dom_value
function, which returns the input value (val
) from the DOM.val
variable is sanitized by replacing tags like&
,>
,<
with&
,<
and>
respectively. So i made a callback prototype function to achieve this:π Proof of Vulnerability (PoV)
Open the editor, go to the
Code View
section and enter the following payload:<script>alert(1)</script>
, now deactivate theCode View
to trigger the XSS.Before patch:
π₯ Proof of Fix (PoF)
After patch:
It successfully sanitizes the input and deactivates from the
Code View
without triggering XSS.The debug messages in the console shows the actual input and filtered input.
index.html file used in the POC: