Skip to content

Fix <RichTextField> XSS vulnerability #8644

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
slax57 merged 4 commits into from
Feb 13, 2023
Merged

Fix <RichTextField> XSS vulnerability #8644

slax57 merged 4 commits into from
Feb 13, 2023

Conversation

@fzaninotto
Copy link
Member

@fzaninotto fzaninotto commented Feb 13, 2023
edited
Loading

Problem

<RichTextField> leverages the dangerouslySetInnerHTML attribute, expecting the value to be already sanitized server-side.

If it is not, a malicious user can execute an XSS attack by injecting malicious data.

Proof-of-concept:

    <RecordContextProvider
        value={{
            id: 1,
            body: `
<p>
<strong>War and Peace</strong> is a novel by the Russian author
<a href="https://en.wikipedia.org/wiki/Leo_Tolstoy" onclick="document.getElementById('stolendata').value='credentials';">Leo Tolstoy</a>,
published serially, then in its entirety in 1869.
</p>
<p onmouseover="document.getElementById('stolendata').value='credentials';">
It is regarded as one of Tolstoy's finest literary achievements and remains a classic of world literature.
</p>
<img src="x" onerror="document.getElementById('stolendata').value='credentials';" />
`,
        }}
    >
        <RichTextField source="body" />
        <hr />
        <div>
            <h4>Stolen data:</h4>
            <input id="stolendata" defaultValue="none" />
        </div>
    </RecordContextProvider>

Solution

Sanitize the value by default using DomPurify. This adds 8.6kB gzipped to the final bundle for people using <RichTextField>, but it's inevitable.

@fzaninotto fzaninotto added the RFR Ready For Review label Feb 13, 2023
@fzaninotto fzaninotto force-pushed the fix-RichTextField-XSS branch 2 times, most recently from c2113b8 to e5bfbe2 Compare February 13, 2023 13:01
@fzaninotto fzaninotto mentioned this pull request Feb 13, 2023
Merged
github-advanced-security[bot]
github-advanced-security bot found potential problems Feb 13, 2023
View reviewed changes
@fzaninotto fzaninotto added this to the 4.7.6 milestone Feb 13, 2023
slax57
slax57 requested changes Feb 13, 2023
View reviewed changes
@slax57 slax57 merged commit c1891af into master Feb 13, 2023
@slax57 slax57 deleted the fix-RichTextField-XSS branch February 13, 2023 14:42
@fzaninotto
Copy link
Member Author

fzaninotto commented Feb 13, 2023

Fixes GHSA-5jcr-82fh-339v

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@slax57 slax57 slax57 approved these changes

Assignees

No one assigned

Labels

RFR Ready For Review

Milestone

4.7.6

Development

Successfully merging this pull request may close these issues.

3 participants

@fzaninotto @slax57