Bad Sanitization in Mermaid.js leading to XSS
Original Post:
We discussed this vulnerability during Episode 111 on 17 January 2022
if you’re going to apply a blacklist to remove content…perform it recursively.
const sanitizeUrl = function (s) {
return s
.replace(/&/g, '&')
.replace(/</g, '<')
.replace(/javascript:/g, '');
};
...
var sanitizedLink = sanitizeUrl(links[key]);
Should trigger some alarm bells because its removing that javascript:
string, but only running once. Classic blacklist bypass: javajavasacript:script:
it removes the middle javascript:
and the resulting strict in javascript:
.
Two other issues were found in addLinks
and addALink
though both are in effect the same issue. The normal flow would sanitize the links for their use in labels and then add the sanitized links to a list to be reused later in a display showing the links. When htmlLabels
was enabled, the links would not undergo the initial sanitation, so when the popup link box would use them they would only have to contend with the bypassable sanitizeUrl
.