Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug]: Security vulnerability, XSS #4600

Closed
1 of 2 tasks
ElizarBatin opened this issue Nov 6, 2023 · 2 comments
Closed
1 of 2 tasks

[Bug]: Security vulnerability, XSS #4600

ElizarBatin opened this issue Nov 6, 2023 · 2 comments
Assignees
@bdbch @svenadlung
Labels
Category: Open Source The issue or pull reuqest is related to the open source packages of Tiptap. Type: Bug The issue or pullrequest is related to a bug

Comments

@ElizarBatin
Copy link

Which packages did you experience the bug in?

extension-youtube

What Tiptap version are you using?

2.1.12

What’s the bug you are facing?

Vulnerability in getEmbedUrlFromYoutubeUrl. Attacker can send response to server to store youtube video with any url which contains /embed/. E.g. javascript:alert(1)//embed/ (Executes arbitrary code in site origin).

What browser are you using?

Chrome

Code example

https://github.com/ElizarBatin/tiptap-poc

What did you expect to happen?

  1. Sandbox attributes for iframe must set for minimize possible iframe injection impact.
  2. Logic in getEmbedUrlFromYoutubeUrl function should fixed

Anything to add? (optional)

No response

Did you update your dependencies?

  • Yes, I’ve updated my dependencies to use the latest version of all packages.

Are you sponsoring us?

  • Yes, I’m a sponsor. 💖
@ElizarBatin ElizarBatin added Category: Open Source The issue or pull reuqest is related to the open source packages of Tiptap. Type: Bug The issue or pullrequest is related to a bug labels Nov 6, 2023
@ElizarBatin
Copy link
Author

I tried submit this vulnerability in email which mentions in README.md for contact, but i don't recieve answer :(

C-Hess added a commit to C-Hess/tiptap that referenced this issue Nov 6, 2023
@C-Hess
fix(extension-youtube) XSS risk with src tag
07f310c 
Fixes risks outline in ueberdosis#4600 by verifying that any src urls are valid
youtube URLs before rendering as HTML. My thoughts are that this attack
vector would be difficult to use because the attacker would have to have
a way to manipualte the TipTap payload in a manner that bypasses the
youtube extension's `setYoutubeVideo` command, which already checks for
valid URLs.
@C-Hess C-Hess mentioned this issue Nov 6, 2023
Merged
4 tasks
janthurau pushed a commit to C-Hess/tiptap that referenced this issue Nov 20, 2023
@C-Hess @janthurau
fix(extension-youtube) XSS risk with src tag
04a1135 
Fixes risks outline in ueberdosis#4600 by verifying that any src urls are valid
youtube URLs before rendering as HTML. My thoughts are that this attack
vector would be difficult to use because the attacker would have to have
a way to manipualte the TipTap payload in a manner that bypasses the
youtube extension's `setYoutubeVideo` command, which already checks for
valid URLs.
@janthurau
Copy link
Collaborator

fixed by #4602

@julmud julmud mentioned this issue May 15, 2024
Closed
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@bdbch bdbch

@svenadlung svenadlung

Labels
Category: Open Source The issue or pull reuqest is related to the open source packages of Tiptap. Type: Bug The issue or pullrequest is related to a bug
Projects
Tiptap
Status: Done
Milestone
No milestone
Development

No branches or pull requests
4 participants
@janthurau @bdbch @svenadlung @ElizarBatin