Dev.to(Forem) cta xss(No Response,But Fixed!)

Name

Dev.to(Forem) cta xss

Weakness

XSS

Severity

Medium

Summary

DEV is a community of software developers which is built on Forem: open source software designed to empower communities. You can edit your blog with its buildin markdown editor using liquid markdown syntax.

For example, CTA uses {% cta link %} desc {% endcta %} to create a button with a link to jump to. However, the backend didn’t sanitize javascript link, causing click xss.

Trigger

1. Create a post or comment, in the editor, send following payload:

   {% cta javascript:alert(document.domain) %} clickme {% endcta %}

   

   

2. After payload sent, a button is rendered, click the button, the xss is triggered!

   

   

   

   

3. Using chrome dev tools to check the rendered result:

   

Root cause

Forem codebase:

_cta.html.erb

<a href="<%= link %>" class="ltag_cta ltag_cta--<%= type %>" role="button"><%= description %></a>

render cta_tag

def render(_context)
    content = Nokogiri::HTML.parse(super)

    ApplicationController.render(
      partial: PARTIAL,
      locals: {
        link: @link,
        description: sanitized_description(content),
        type: TYPE_OPTIONS.first
      },
    )
  end