Report a cross-site scripting (XSS) security vulnerability in the braft-editor allowing remote attackers to run arbitrary web script inside an div embed media element by injecting a crafted HTML element into the editor.

[testivy]

Dear Author,
I’m testivy. I found that the current version of braft-editor has a a cross-site scripting (XSS) allows remote attackers to run arbitrary web script inside an div embed media element by injecting a crafted HTML element into the editor.
As the offical demo site shown:
https://braft.margox.cn/demos/basic
or
https://braft.margox.cn/

When I come to the media library toolbar and choose the "adding network network resources " button below,and then select the embed media item as the figure shown below:

Loopholes Reproduce

1. Inject a crafted HTML element into the editor just like this
   <img/src=1 onerror=alert(1)>
2. Click the insert button
   
3. Click the play button to play the inserted video in this editor
4. View the page and you will see a pop-up which running the arbitrary web script inside.
   

Vulnerability details

This problem mainly occurs in braft-editor/src/renderers/atomics/Embed/index.jsx

return (
    <div className="bf-embed-wrap">
      <PlayerModal
        type="embed"
        onRemove={removeEmbed}
        poster={meta ? meta.poster || '' : ''}
        language={language}
        url={url}
        name={name}
        title={language.videoPlayer.embedTitle}
      >
        <div
          className="bf-embed-player"
          dangerouslySetInnerHTML={{ __html: url }}
        />
      </PlayerModal>
    </div>

As we can see, the above dangerouslySetInnerHTML ,this accept the url variable from the input without escape that could lead to run the arbitrary code even stealing the user's cookie. .etc.
If we input the simple script like "<img/src=1 onerror=alert(1)>",the brower will render it to the html as below:
<div class="bf-embed-player"><img src="1" onerror="alert(1)"></div> and finally pop a alert window.

Best Regards

[ivybao0628]

关注