Reported to security@
Hey, I have identified a security issue in Wikimedia Visual Editor, which makes it possible to perform a cross-site scripting attack via copy&paste. Here's a proof of concept: 1. Go to https://jsbin.com/lulixuhaxu/edit?html,output 2. Press "Copy" on the right side. 3. Go to Visual Editor on Wikipedia (for instance: https://en.wikipedia.org/w/index.php?title=Cross-site_scripting&action=edit) 4. Paste the content. 5. Alert appears! I've confirmed the exploit works in Firefox and Chrome, while it doesn't work for Safari. The snippet of HTML that's relevant for the exploit is: Hello<div data-ve-clipboard-key="useClipboardData-0"><img src onerror="alert(1)">! Basically, Visual Editor processes and sanitizes the pasted content, by copying it to a <div> element with class="ve-ce-surface-paste". The code is presanitzed by the browser and by VE itself. However, when the pasted content contains an element with attribute data-ve-clipboard-key [1], then it is assigned to a variable called clipboardKey. Later, if clipboardKey is equal to "useClipboardData-0" [2], VE decides that it works with the unsanitized markup. Then, the code is imported to the document via a few document.importNode calls, executing the XSS. I think the fix should be to sanitize the content when using beforePasteData.html to handle pasted content. Cheers, Michał [1]: https://github.com/wikimedia/VisualEditor/blob/9d0ef183ae48e93998deae007e49f3ba55864d4e/src/ce/ve.ce.Surface.js#L2330 [2]: https://github.com/wikimedia/VisualEditor/blob/9d0ef183ae48e93998deae007e49f3ba55864d4e/src/ce/ve.ce.Surface.js#L2505