Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A for any cross site scripting information. Feel free to ask away. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
WYSIWYG + XSS
Date: September 02, 2006 12:51PM

Traditionally speaking, you're allowed to put anything you want in a textarea, so long as you escape the special html characters properly. Easy enough, right?

Now, suppose we tack on a WYSIWYG editor. Suddenly, these textareas take on a different meaning: they're effectively HTML output. Now, if you creating a post with this editor, it's a non-issue: the default value is blank. However, if you're an administrator editing a post with a WYSIWYG editor, well, things could get a little hairy.

While a lot of the usual JavaScript vectors don't work (onclick and onmouseover have no effect), I've been able to get XSS output by TinyMCE using the <iframe> trick. So the problem is definitely there, and even more insidious: if you've got a good HTML library on the output stream, all the iframes would have been silently dropped giving no indication of the malicious internals.

I suppose there are several possible solutions, the simplest being:

1. Do inbound filtering. Disadvantage: you're prone to lose data if you pass poorly formed HTML.
2. Filter out content on its way to the textarea. Disadvantage: What's the point of storing the content in the database in its unfiltered form?
3. Make all textareas with default content non-WYSIWYG. Disadvantage: Not as user-friendly

Any comments?

HTML Purifier - Standards Compliant HTML filtering

Options: ReplyQuote
Re: WYSIWYG + XSS
Posted by: rsnake
Date: September 02, 2006 01:38PM

Funny you should mention that, I've seen the exact same issues with iframes and WYSIWYG HTML editors. For simple redirection and CSRF it's beautiful, I've had mixed results with JavaScript, depending on what the system is, but yes, I've definitely seen what you're talking about (it really started taking off about a year ago that that problem began surfacing itself more and more - as I think more companies think that rich HTML editors are what the public wants).

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: WYSIWYG + XSS
Date: September 03, 2006 09:36PM

It probably is. For my case, I decided to do filtering on all outbound areas, because it was too painful to find all the input points.

Hopefully, my integration with a bugtracker http://hp.jpsband.org/mantis/ didn't introduce any XSS holes.

Options: ReplyQuote
Re: WYSIWYG + XSS
Posted by: rsnake
Date: September 04, 2006 01:49PM

I'm sure we can take a look if you don't mind us poking around on it.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: WYSIWYG + XSS
Date: September 04, 2006 03:47PM

I've added a Test Bug that you can play around with. http://hp.jpsband.org/mantis/view.php?id=1

Options: ReplyQuote


Sorry, only registered users may post in this forum.