skip to content
Back to GitHub.com
Home Bounties Research Advisories CodeQL Wall of Fame Get Involved Events
May 31, 2022

GHSL-2021-1046: Cross-site scripting (XSS) in medium.js

GitHub Security Lab

Coordinated Disclosure Timeline

Summary

medium.js is prone to XSS when handling untrusted placeholder values.

Product

medium.js

Tested Version

1.0.1

Details

Issue 1: XSS while handling placeholder field (GHSL-2021-1046)

An attacker that is able to influence the field placeholder when creating a Medium instance is able to supply arbitrary html or javascript code that will be rendered in the context of a user, potentially leading to XSS.

Proof of concept snippet:

new Medium({
    element: document.getElementById('editor'),
    placeholder: "<img src='foobar' onerror='alert(5)' />"
});

Vulnerable code: medium.js

//element setup
placeholder.className = s.cssClasses.placeholder + ' ' + s.cssClasses.placeholder + '-' + s.mode;
placeholder.innerHTML = '<div>' + s.placeholder + '</div>';
el.parentNode.insertBefore(placeholder, el);

Impact

This issue may lead to XSS

Resources

Resources

Credit

This issue was discovered by GitHub team member @erik-krogh (Erik Krogh Kristensen).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2021-1046 in any communication regarding this issue.