Listen to this Post
The vulnerability in the prosemirror_to_html gem (versions < 0.2.1) stems from its incomplete sanitization process when converting a ProseMirror document to HTML. While the content inside HTML tags is correctly escaped to prevent injection, the values of HTML attributes are not. This creates a critical security gap. An attacker can craft a malicious ProseMirror document containing nodes with dangerous attributes. For instance, they can embed an anchor tag with an `href` attribute using the `javascript:` protocol (<a href="javascript:alert('XSS')">), or an image tag with an `onerror` event handler (<img src=x onerror="alert('XSS')">). When this document is processed by the vulnerable gem, the malicious attributes are rendered directly into the final HTML output without being neutralized. Consequently, when an end-user’s browser loads this generated page, it interprets these attributes as valid executable code, leading to the execution of arbitrary JavaScript in the context of the victim’s session.
Platform: RubyGems
Version: < 0.2.1
Vulnerability: XSS
Severity: Critical
date: 2024-01-24
Prediction: Patch: 2024-02-07
What Undercode Say:
gem list prosemirror_to_html
Vulnerable conversion html = ProsemirrorToHtml::Renderer.new(document).render
Manual Sanitization Workaround require 'sanitize' safe_html = Sanitize.fragment(html)
How Exploit:
<a href="javascript:alert('XSS')">Click</a>
<img src=x onerror="alert(1)">
<
div onclick="maliciousCode()">
Protection from this CVE
Upgrade gem gem update prosemirror_to_html -v '>= 0.2.1'
<!-- Content Security Policy --> <meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self'">
Impact:
Session hijacking
Data theft
Account compromise
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
