You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
A user inserts content into the Froala Editor using the Code View feature. The inserted content includes a valid but malicious HTML payload containing a <object> tag with a data attribute pointing to a javascript: URI. Might be possible to the an issue parsing the <xmp> tag. As it gets removed from the HTML, but the object stays.
Payload:
The editor should sanitize the input and prevent any executable JavaScript or dangerous HTML from being stored and executed. Specifically, it should disallow or sanitize javascript: URIs within HTML attributes, including the data attribute of the <object> element.
Actual Behavior:
A line break is added.
Analysis:
The issue stems from Froala's HTML sanitizer allowing <object> elements with unsanitized data URIs. While event handlers and javascript: links are often filtered in common elements (<a>, <img>, <script>, etc.), the <object> tag is overlooked.
Since the data="javascript:..." pattern is still honored by browsers for certain elements, this results in full JavaScript execution, turning the issue into a stored XSS.
Editor version:
4.5 and older. Tested on the newest version and on 4.3.1
OS:
Windows 11 and MacOS Sequoia
Browser:
Firefox (latest)
The text was updated successfully, but these errors were encountered:
Scenario:
A user inserts content into the Froala Editor using the Code View feature. The inserted content includes a valid but malicious HTML payload containing a
<object>tag with a data attribute pointing to ajavascript:URI. Might be possible to the an issue parsing the<xmp>tag. As it gets removed from the HTML, but theobjectstays.Payload:
This payload is saved by the editor and re-executed every time the content is rendered.
I have created an JSFiddle to test the XSS on the latest version 4.5. https://jsfiddle.net/solidshadw/pk06sh4o/
Expected Behavior:
The editor should sanitize the input and prevent any executable JavaScript or dangerous HTML from being stored and executed. Specifically, it should disallow or sanitize
javascript:URIs within HTML attributes, including the data attribute of the<object>element.Actual Behavior:
A line break is added.
Analysis:
The issue stems from Froala's HTML sanitizer allowing
<object>elements with unsanitized data URIs. While event handlers and javascript: links are often filtered in common elements (<a>,<img>,<script>, etc.), the<object>tag is overlooked.Since the
data="javascript:..."pattern is still honored by browsers for certain elements, this results in full JavaScript execution, turning the issue into a stored XSS.Editor version:
4.5 and older. Tested on the newest version and on 4.3.1
OS:
Windows 11 and MacOS Sequoia
Browser:
Firefox (latest)
The text was updated successfully, but these errors were encountered: