Cross-site Scripting (XSS) - Reflected in tagspaces/viewertext

Valid

Reported on

May 18th 2021

✍️ Description

viewerText used within the Tagspaces to show a preview of text files is vulnerable to cross site scripting.

🕵️‍♂️ Proof of Concept

If any HTML is feeded to setContent function:

setContent("<script>alert('xss');</script>)

It appends it to the dom without any filteration:

$textContent.empty().append(content);

💥 Impact

This vulnerability is capable of manipulating DOM and running arbitrary JavaScript. As tagspaces is an electron application and uses this library in its core, I utilized this to gain code execution which is disclosed here

Occurrences

main.js L20

References

0xcrypto

commented 3 years ago

Researcher

For the fixer:

Use jQuery.text() instead of jQuery.append(). ie.

$textContent.empty().text(content);

Ilian

commented 3 years ago

How about adding something like DOMPurify on top ?

0xcrypto

commented 3 years ago

Researcher

I think jQuery.text() would suffice the need as it uses document.createTextNode() internally which converts any tag to entities.

Pavlos

commented 3 years ago

Admin

I'm just testing the admin tag :)

to join this conversation

0xcrypto

commented 3 years ago

Researcher

For the fixer:

Use jQuery.text() instead of jQuery.append(). ie.

$textContent.empty().text(content);

Ilian

commented 3 years ago

How about adding something like DOMPurify on top ?

0xcrypto

commented 3 years ago

Researcher

I think jQuery.text() would suffice the need as it uses document.createTextNode() internally which converts any tag to entities.

Pavlos

commented 3 years ago

Admin

I'm just testing the admin tag :)

to join this conversation