XSS: Potential vulneralibility!!

  • This plugin doesn’t escape HTML (or does it differently than Disqus).
    This might be a serious vulneralibility.

    Steps to reproduce:
    1. Add a comment:
    > Some text <Avatar name={name} /> some text

    2. Observe that that piece of HTML (or XML) is escaped in the comment and displayed correctly.
    3. In the Disqus Latest Comments widget it’s not escaped: <avatar> is added to the DOM!

Viewing 1 replies (of 1 total)
  • Plugin Author ovann86

    (@ovann86)

    Thanks for reporting.

    You’re right, absolutely was vulnerable – I had assumed the API provided encoded HTML but failed to check (I saw their example code in github doesn’t encode).

    I’ve added encoding, allowing the tags they allow :: https://help.disqus.com/customer/portal/articles/466253-what-html-tags-are-allowed-within-comments-

    But I haven’t been able to reproduce how their JavaScript endpoints encode not allowed tags rather than strip. So at the moment <avatar> is stripped instead of encoded like the JavaScript endpoints.

    I’ll look at it again later to see if I can get it behaving consistently.

Viewing 1 replies (of 1 total)
  • The topic ‘XSS: Potential vulneralibility!!’ is closed to new replies.

Tags