Reported to security@
Hey,
I have identified a security issue in Wikimedia Visual Editor, which
makes it possible to perform a cross-site scripting attack via copy&paste.
Here's a proof of concept:
1. Go to https://jsbin.com/lulixuhaxu/edit?html,output
2. Press "Copy" on the right side.
3. Go to Visual Editor on Wikipedia (for instance:
https://en.wikipedia.org/w/index.php?title=Cross-site_scripting&action=edit)
4. Paste the content.
5. Alert appears!
I've confirmed the exploit works in Firefox and Chrome, while it doesn't
work for Safari.
The snippet of HTML that's relevant for the exploit is:
Hello<div data-ve-clipboard-key="useClipboardData-0"><img src
onerror="alert(1)">!
Basically, Visual Editor processes and sanitizes the pasted content, by
copying it to a <div> element with class="ve-ce-surface-paste". The code
is presanitzed by the browser and by VE itself.
However, when the pasted content contains an element with attribute
data-ve-clipboard-key [1], then it is assigned to a variable called
clipboardKey.
Later, if clipboardKey is equal to "useClipboardData-0" [2], VE decides
that it works with the unsanitized markup. Then, the code is imported to
the document via a few document.importNode calls, executing the XSS.
I think the fix should be to sanitize the content when using
beforePasteData.html to handle pasted content.
Cheers,
Michał
[1]:
https://github.com/wikimedia/VisualEditor/blob/9d0ef183ae48e93998deae007e49f3ba55864d4e/src/ce/ve.ce.Surface.js#L2330
[2]:
https://github.com/wikimedia/VisualEditor/blob/9d0ef183ae48e93998deae007e49f3ba55864d4e/src/ce/ve.ce.Surface.js#L2505