Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

存在XSS漏洞 #7

Open
Leeport opened this issue Aug 5, 2019 · 14 comments
Open

存在XSS漏洞 #7

Leeport opened this issue Aug 5, 2019 · 14 comments

Comments

@Leeport
Copy link

Leeport commented Aug 5, 2019
edited
Loading

存在XSS
payload:

<EMBED SRC="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==" type="image/svg+xml" AllowScriptAccess="always"></EMBED>
@nicejade
Copy link
Owner

nicejade commented Aug 7, 2019

@Leeport 嗯,好的,感谢提醒,这些安全性相关的,确实还没给予处理;会尽快修复类似漏洞。

@88250
Copy link

88250 commented Apr 18, 2020

这个问题 Vditor 已经修复,可以考虑同步一波。

@nicejade
Copy link
Owner

@88250 赞👍,将尽快同步。

@fritx
Copy link

fritx commented May 7, 2020

@88250 发布了嘛?我引用的[email protected] 还是存在这个问题,可以弹出XSS

@nicejade 老哥,我最近做一个 https://coldemo.js.org/ 是一个demo gallery站点,今天把vditor和arya也加了进去,还望许可 😆

@fritx
Copy link

fritx commented May 7, 2020

轩轩大

@88250
Copy link

88250 commented May 7, 2020

@fritx 麻烦给我一下 Markdown 原文,谢谢

@fritx
Copy link

fritx commented May 7, 2020

@88250 #7 (comment) 就把楼主的这段粘贴进我的这个页面
https://coldemo.js.org/#/playground/vditor-rich.md 的editor里 能弹出XSS

页面里加载的是[email protected] 调用的.preview()方法
PS:我把vditor和arya也加了进去,还望许可 😆

@fritx
Copy link

fritx commented May 7, 2020
edited
Loading

调用的源码在这里 https://github.com/coldemo/gallery.code/blob/master/src/playground/codeTransform.ts#L95-L134 (https://github.com/coldemo/gallery.code/blob/master/src/playground/codeTransform.ts#L95-L136)

@88250
Copy link

88250 commented May 7, 2020

@fritx 分屏预览模式下默认没有开启过滤,可通过 vditor.lute.SetSanitize(true) 来开启。具体可参考 88250/lute#51

@fritx
Copy link

fritx commented May 7, 2020

赞,感谢,刚没仔细看到默认不开启,我试试

@fritx
Copy link

fritx commented May 7, 2020

@88250 window.Lute (1.3.3) 没有这个方法,vditor (3.2.0)上也没lute这个引用

github code 搜 lute.setsanitize 只有一处go的结果,暂时没有其他js参考
https://github.com/search?q=lute.setsanitize&type=Code

@Vanessa219
Copy link

@fritx

const vditor = new Vditor()
vditor.vditor.lute.SetSanitize

@fritx
Copy link

fritx commented May 7, 2020

image

@Vanessa219 我引的[email protected] 截图里 new 出来的示例上 也不存在 viditor或lute这两个属性
而且我的场景只调了Vditor.preview这个静态方法 😅

@Vanessa219
Copy link

@fritx Vanessa219/vditor#376

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@88250 @Vanessa219 @fritx @nicejade @Leeport