Open
Description
If nutshell processes on untrusted (but sanitized) content, there are some XSS vulnerabilities:
e.g.
<a href="x">:test<img src=x onerror=alert(1)></a>gets transformed to
<a href="x" class="nutshell-expandable" mode="closed">
<span class="nutshell-expandable-text">
test<img src="x" onerror="alert(1)">
</span>
<span class="nutshell-ball-up" style="background: rgb(0, 0, 0);"></span>
<span class="nutshell-ball-down" style="background: rgb(0, 0, 0);"></span>
</a>there's also xss with untrusted youtube urls, e.g. the URL https://youtu.be/pQ2dI_B_Ycg?t=36"></iframe><img src=x onerror="alert(1)">
<a href='https://youtu.be/pQ2dI_B_Ycg?t=36"></iframe><img src=x onerror="alert(1)">'>:xss</a>DOMPurify should always be run as the very last step before inserting anything into the DOM. Currently nutshell doesn't do this so there's a few ways to obtain XSS. This should fix potential issues (but also, ideally the code should be rewritten to avoid all the HTML concatention and instead use dom node/tree operations)
Metadata
Metadata
Assignees
Labels
No labels