Cross-Site Scripting in Mercury

[soaj1664]

Hi,

The editor is vulnerable to an XSS. The editor allows users to insert link and if instead of normal link, I input JavaScript URI

javascript:alert%28location%29

then it works. The attacker can execute arbitrary code of his choice. Please fix this issue. Thanks!

Want to back this issue? Post a bounty on it! We accept bounties via Bountysource.

[yakatz]

That is how it is supposed to work. If you don't want it to do that, you need to implement a filter in your save method.

[jejacks0n]

Hey @soaj1664, pretty much what Yahuda says. There's a filtering option that removes tags/attributes before sending to the server, but sanitizing on the server is pretty normal and expected. If I don't call it out specifically it's because the expectation was obvious to me, but I may need to update the readme.

[soaj1664]

Hi @yakatz and @jejacks0n

Sorry, I do not understand you because it does not make any sense to allow JavaScript URI and user has to implement own filter. It would be great if this option is provided by the WYSIWYG editor by default. TinyMCE does not allow JS URI while at the same time Jive also does not allow to inject JS URI.

[yakatz]

@soaj1664 The way I use the editor, I want people to be able to create javascript: URIs. We use this feature a lot on one project. For projects where I want to limit what the user can save, I use a whitelist of allowed tags since a malicious user could manipulate the posted JSON to contain anything whether the editor allows it or not.