Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

XSS 安全漏洞 #1162

Closed
88250 opened this issue Jan 24, 2022 · 11 comments
Closed

XSS 安全漏洞 #1162

88250 opened this issue Jan 24, 2022 · 11 comments
Assignees
@88250
Labels
修复缺陷
Milestone
3.8

Comments

@88250
Copy link
Collaborator

88250 commented Jan 24, 2022
edited
Loading

https://huntr.dev/bounties/fa546b57-bc15-4705-824e-9474b616f628/

Case 1

XSS PoC : [xss](https://google.com/"//onmousemove="alert(document.domain))
> I can insert an onerror. But I can't log in without a Chinese phone number, so I can't test

1. Open the https://ld246.com/guide/markdown
2. Enter the XSS PoC (Strangely, it doesn't insert at once, so I have to try inserting several times)
3. When the user hovers the mouse over the link, XSS is triggered via a mouse event.

Video : https://www.youtube.com/watch?v=pKQMbrezdCs

Case 2

https://www.huntr.dev/bounties/8202aa06-4b49-45ff-aa0f-00982f62005c/

XSS PoC : [xss](javascript:alert(document.domain))

1. Open the https://ld246.com/guide/markdown
2. Enter the XSS PoC
3. Click the Link

Video : https://www.youtube.com/watch?v=5zzdiBivNSs

Case 3

https://ld246.com/article/1647990115728

#1205 中处理。
@88250 88250 added this to the 3.8 milestone Jan 24, 2022
@88250 88250 mentioned this issue Jan 24, 2022
Closed
@88250 88250 mentioned this issue Mar 14, 2022
Closed
@HerbertHe
Copy link
Contributor

HerbertHe commented Mar 23, 2022
edited
Loading

#918 前端可能这种方式可以一定程度山解决 src 导致的 XSS,建议直接禁掉 iframe 标签的键入

@88250
Copy link
Collaborator Author

88250 commented Mar 23, 2022

恐怕不能禁止,规范里面是允许的。

@HerbertHe
Copy link
Contributor

对于使用 Vditor 的论坛之类的项目来说,这是算是一个严重的安全问题,轻则可以挂广告

@88250
Copy link
Collaborator Author

88250 commented Mar 23, 2022

后端也得过滤一下的。

@HerbertHe
Copy link
Contributor

emmm 那得写个状态机来获取 iframe 的 src 属性过滤吧😂

@88250
Copy link
Collaborator Author

88250 commented Mar 23, 2022

用现成的库可靠一些。

@88250
Copy link
Collaborator Author

88250 commented Mar 31, 2022

Case 3 单独在 #1205 中处理。

@P0cas
Copy link

P0cas commented Apr 2, 2022

Thanks

@Noahs007
Copy link

Noahs007 commented Feb 3, 2024

想禁用

<iframe src="https://www.hao123.com" style="width:800px"></iframe> 类似的标签是否可行

@Noahs007
Copy link

Noahs007 commented Feb 3, 2024

还有 embed 类似 iframe 的效果

@Vanessa219
Copy link
Owner

#1555

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@88250 88250

Labels
修复缺陷
Projects
None yet
Milestone
3.8
Development

No branches or pull requests
5 participants
@88250 @Vanessa219 @HerbertHe @P0cas @Noahs007