Conversation

Notices

1. Alex Gleason (alex@gleasonator.com)'s status on Friday, 09-Feb-2024 05:45:52 JST Alex Gleason
   Pleroma FE is still vulnerable to XSS
   • xianc78 likes this.
   • xianc78 repeated this.
   • Alex Gleason (alex@gleasonator.com)'s status on Friday, 09-Feb-2024 05:45:51 JST Alex Gleason

     in reply to
     Notice how the script tag is being parsed as a child of the `a` element
     xianc78 likes this.
   • :btrfly: anime graf mays 🛰️🪐 (graf@poa.st)'s status on Friday, 09-Feb-2024 05:46:12 JST :btrfly: anime graf mays 🛰️🪐

     in reply to
     @alex not good
     xianc78 likes this.
     xianc78 repeated this.
   • Tadano ❄️🎅 (tadano@amala.schwartzwelt.xyz)'s status on Friday, 09-Feb-2024 06:23:56 JST Tadano ❄️🎅

     in reply to
     @alex where's the swiss cheese meme when you need it? :LIVE:
     xianc78 likes this.
   • Alex Gleason (alex@gleasonator.com)'s status on Friday, 09-Feb-2024 06:24:36 JST Alex Gleason

     in reply to

     • :btrfly: anime graf mays 🛰️🪐
     @graf I'm paranoid now. So I need to understand what really happened before I do something like, add Nostr keys into Soapbox browser storage.
     
     I still don't know how the script closing tag is somehow used as an opening tag. But this confirms at least that there are serious problems in Pleroma FE's html parser. There's just a tiny missing piece I haven't found.
     
     Pleroma on the backend is also at fault for not sanitizing it correctly. I was able to confirm that DOMPurify (in TypeScript) does the right thing. So in case anyone thinks I'm crazy for writing a TypeScript backend, this is why.
     xianc78 and Token like this.
   • Alex Gleason (alex@gleasonator.com)'s status on Friday, 09-Feb-2024 11:53:49 JST Alex Gleason

     in reply to

     • :btrfly: anime graf mays 🛰️🪐
     @graf https://gitlab.com/soapbox-pub/soapbox/-/merge_requests/2930
     Token likes this.