Coordinated Disclosure Timeline
- 2021-11-24: Maintainer contacted
- 2022-04-12: Maintainer contacted again
- 2022-05-29: Public issue created asking for a security contact
- 2022-05-26: Updated the public issue with our intention to publish the advisory due to the lack of response.
- 2022-05-31: Publishing as per GitHub SecLab disclosure policy
Summary
medium.js is prone to XSS when handling untrusted placeholder values.
Product
medium.js
Tested Version
Details
Issue 1: XSS while handling placeholder field (GHSL-2021-1046)
An attacker that is able to influence the field placeholder when creating a Medium instance is able to supply arbitrary html or javascript code that will be rendered in the context of a user, potentially leading to XSS.
Proof of concept snippet:
new Medium({
element: document.getElementById('editor'),
placeholder: "<img src='foobar' onerror='alert(5)' />"
});
Vulnerable code: medium.js
//element setup
placeholder.className = s.cssClasses.placeholder + ' ' + s.cssClasses.placeholder + '-' + s.mode;
placeholder.innerHTML = '<div>' + s.placeholder + '</div>';
el.parentNode.insertBefore(placeholder, el);
Impact
This issue may lead to XSS
Resources
Resources
- https://github.com/jakiestfu/Medium.js/issues/213
Credit
This issue was discovered by GitHub team member @erik-krogh (Erik Krogh Kristensen).
Contact
You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2021-1046 in any communication regarding this issue.