Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix <RichTextField> XSS vulnerability #8644

Merged
merged 4 commits into from
Feb 13, 2023
Merged

Fix <RichTextField> XSS vulnerability #8644

merged 4 commits into from
Feb 13, 2023

Conversation

fzaninotto
Copy link
Member

@fzaninotto fzaninotto commented Feb 13, 2023
edited
Loading

Problem

<RichTextField> leverages the dangerouslySetInnerHTML attribute, expecting the value to be already sanitized server-side.

If it is not, a malicious user can execute an XSS attack by injecting malicious data.

Proof-of-concept:

    <RecordContextProvider
        value={{
            id: 1,
            body: `
<p>
<strong>War and Peace</strong> is a novel by the Russian author
<a href="https://en.wikipedia.org/wiki/Leo_Tolstoy" onclick="document.getElementById('stolendata').value='credentials';">Leo Tolstoy</a>,
published serially, then in its entirety in 1869.
</p>
<p onmouseover="document.getElementById('stolendata').value='credentials';">
It is regarded as one of Tolstoy's finest literary achievements and remains a classic of world literature.
</p>
<img src="x" onerror="document.getElementById('stolendata').value='credentials';" />
`,
        }}
    >
        <RichTextField source="body" />
        <hr />
        <div>
            <h4>Stolen data:</h4>
            <input id="stolendata" defaultValue="none" />
        </div>
    </RecordContextProvider>

Solution

Sanitize the value by default using DomPurify. This adds 8.6kB gzipped to the final bundle for people using <RichTextField>, but it's inevitable.

@fzaninotto fzaninotto added the RFR Ready For Review label Feb 13, 2023
@fzaninotto fzaninotto force-pushed the fix-RichTextField-XSS branch 2 times, most recently from c2113b8 to e5bfbe2 Compare February 13, 2023 13:01
@fzaninotto fzaninotto mentioned this pull request Feb 13, 2023
Merged
@fzaninotto fzaninotto added this to the 4.7.6 milestone Feb 13, 2023
@slax57 slax57 merged commit c1891af into master Feb 13, 2023
@slax57 slax57 deleted the fix-RichTextField-XSS branch February 13, 2023 14:42
@fzaninotto
Copy link
Member Author

Fixes GHSA-5jcr-82fh-339v

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@slax57 slax57 slax57 approved these changes

Assignees
No one assigned
Labels
RFR Ready For Review
Projects
None yet
Milestone
4.7.6
Development

Successfully merging this pull request may close these issues.
2 participants
@fzaninotto @slax57