Clipboard Data Handling XSS Vulnerabilities in Excalidraw and Microsoft Whiteboard

We discussed this vulnerability during Episode 241 on 12 February 2024

Two cross-site scripting vulnerabilities stemming from the handling of clipboard data in Excalidraw and Microsoft Whiteboard. One allows straight forward exploitation, where as the other has a bit of an iframe trick to it.

The first issue revolves around a Cross-Site Scripting (XSS) vulnerability arising from the mishandling of clipboard data within Excalidraw. Specifically, HTML elements in clipboard data will make their way into a, renderElementToSvg For links the link will be directly used in an anchor tag’s href property. ALlowing it to point to javascript: URLs that will result in cross-site scripting.

The second vulnerability began with the discovery of support for an undocumented tag (again coming through the clipboard data), the iframe tag. While the code would properly sanitize the frame’s src value to prevent JavaScript URLs, it supported one other property: sandbox. The sandbox property is generally used to describe behavior restrictions/allowances on the framed content. The author was able to use the allow-top-navigation value in order to allow his iframe to redirect the frame to a JavaScript URL.

In addition to the vulnerabilities the post dives a bit more into the hunting process, some discussion about how to make exploitation more practical that may also be of interest.