XSS using Mastodon Posts

[myyxl]

Hotfix cffc0e8 did not fix the initial XSS vulnerability, but implemented another XSS vulnerability. I would have made a merge request to fix it, but it's a bit more complicated and I'm not too familiar with Mastodon and the Fediverse.

When fetching messages using the Mastodon API, user submitted HTML tags are encoded using HTML entities. This would prevent XSS by default, but createTextComponent in MessageView converts it to text again, which resolves the HTML entities.

apus/src/main/java/swiss/fihlon/apus/ui/view/MessageView.java

Line 67 in ff6bab2

final String messageText = Jsoup.parse(message.html()).text();

The converted text is then used in the truncateMessageText method if the length is bigger than 500 characters. This was the initial XSS vulnerability. Before the hotfix, if the message length was less than 500 characters it would have taken message.html() where the HTML entities are not resolved yet. Since the hotfix replaces it with the converted messageText, XSS is also possible using less than 500 characters now.

One way to fix it might be to use message.html() everywhere. The issue is, I'm not sure if a malicious mastodon instance could push posts where HTML entities are not encoded. So it might be safer to use some sanitizer.

[McPringle]

Hi @myyxl

Thank you very much for your report. As you might have already noticed, I made some changes to prevent XSS attacs through Mastodon posts. I installed an instance for testing using the nightly build, which is available here: https://apus.fihlon.swiss/

This instance is configured to scan for messages with the tag #TestTheWall. I would be happy if you can confirm that your attac does no longer work.

Thank you very much!

[myyxl]

Looks good to me!

[McPringle]

Thanks @myyxl for your report and review!