Cross-site Scripting (XSS) - Reflected in tagspaces/viewertext

Valid

Reported on

May 18th 2021


✍️ Description

viewerText used within the Tagspaces to show a preview of text files is vulnerable to cross site scripting.

🕵️‍♂️ Proof of Concept

If any HTML is feeded to setContent function:

setContent("<script>alert('xss');</script>)

It appends it to the dom without any filteration:

$textContent.empty().append(content);

💥 Impact

This vulnerability is capable of manipulating DOM and running arbitrary JavaScript. As tagspaces is an electron application and uses this library in its core, I utilized this to gain code execution which is disclosed here

Occurrences

0xcrypto
a year ago

Researcher


For the fixer:

Use jQuery.text() instead of jQuery.append(). ie.

$textContent.empty().text(content);
Ilian
a year ago

How about adding something like DOMPurify on top ?

0xcrypto
a year ago

Researcher


I think jQuery.text() would suffice the need as it uses document.createTextNode() internally which converts any tag to entities.

Pavlos
a year ago

Admin


I'm just testing the admin tag :)

to join this conversation