Coordinated Disclosure Timeline
- 2021-10-29: Report sent to email@example.com
- 2022-03-25: Publishing as per our disclosure policy
Bad HTML sanitization in
htmleditor.js may lead to cross-site scripting (XSS) issues.
Latest at time of writing (0c6628c)
Issue: Bad HTML sanitization in htmleditor.js (
The HTML sanitizer does not account for closing tags with trailing spaces. e.g:
</script >. Therefore any malicious scripts in the form of
<script>alert(document.domain)</script > will survive the sanitization and will get executed.
This issue may lead to cross-site scripting (XSS).
This issue was found using the following CodeQL Query.
- Start an instance:
sudo docker run -d --name cockpit -p 8080:80 agentejo/cockpit
- Login with username:
- Create a new collection (press the plus in the “Collections” box).
- Add a field, and set the field type to HTML (click the cog in the right).
- Fill in the required details (press “SAVE” in the bottom to see what you’ve missed).
- Go to the entires for the newly created collection (there is a “Show entires” in the bottom after you press save, alternatively you can click the collection from the frontpage).
- Create a new entry.
- Paste the following into the editor:
- Observe that an alert box will appear in the browser.
This issue was discovered and reported by GitHub team member @erik-krogh (Erik Krogh Kristensen).
You can contact the GHSL team at
firstname.lastname@example.org, please include a reference to
GHSL-2021-1035 in any communication regarding this issue.