Hi,
I noticed that PR #4788 fixes the XSS in Formula, Video, and Image formats, nice work. However, the Syntax module has the exact same bug in a different code path that the PR doesn't cover.
In modules/syntax.ts around line 162:
return `<pre data-language="${language}">\n${escapeText(
this.code(index, length),
)}\n</pre>`;escapeText() is applied to the code content but not to the language value. An attacker can set the language via quill.formatLine() to something like:
"><img src=x onerror="alert('XSS')">
Which breaks out of the data-language attribute and executes arbitrary JavaScript when the semantic HTML is rendered.
The fix is the same pattern as the other formats, just wrap it:
return `<pre data-language="${escapeText(language)}">\n${escapeText(
this.code(index, length),
)}\n</pre>`;To reproduce: open any Quill instance with the syntax module enabled (https://quilljs.com/playground/snow) and paste this in the browser console:
quill.setText('console.log("hello");\n');
quill.formatLine(0, 1, 'code-block', 'javascript');
quill.formatLine(0, 1, 'code-block', '"><img src=x onerror="alert(document.domain)">');
var html = quill.getSemanticHTML();
console.log("Output:", html);
document.body.insertAdjacentHTML('beforeend', html); // triggers alert()
Happy to open a PR if helpful.
Hi,
I noticed that PR #4788 fixes the XSS in Formula, Video, and Image formats, nice work. However, the Syntax module has the exact same bug in a different code path that the PR doesn't cover.
In
modules/syntax.tsaround line 162:escapeText()is applied to the code content but not to thelanguagevalue. An attacker can set the language viaquill.formatLine()to something like:Which breaks out of the
data-languageattribute and executes arbitrary JavaScript when the semantic HTML is rendered.The fix is the same pattern as the other formats, just wrap it:
To reproduce: open any Quill instance with the syntax module enabled (https://quilljs.com/playground/snow) and paste this in the browser console:
Happy to open a PR if helpful.