You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hotfix cffc0e8 did not fix the initial XSS vulnerability, but implemented another XSS vulnerability. I would have made a merge request to fix it, but it's a bit more complicated and I'm not too familiar with Mastodon and the Fediverse.
When fetching messages using the Mastodon API, user submitted HTML tags are encoded using HTML entities. This would prevent XSS by default, but createTextComponent in MessageView converts it to text again, which resolves the HTML entities.
The converted text is then used in the truncateMessageText method if the length is bigger than 500 characters. This was the initial XSS vulnerability. Before the hotfix, if the message length was less than 500 characters it would have taken message.html() where the HTML entities are not resolved yet. Since the hotfix replaces it with the converted messageText, XSS is also possible using less than 500 characters now.
One way to fix it might be to use message.html() everywhere. The issue is, I'm not sure if a malicious mastodon instance could push posts where HTML entities are not encoded. So it might be safer to use some sanitizer.
The text was updated successfully, but these errors were encountered:
Thank you very much for your report. As you might have already noticed, I made some changes to prevent XSS attacs through Mastodon posts. I installed an instance for testing using the nightly build, which is available here: https://apus.fihlon.swiss/
This instance is configured to scan for messages with the tag #TestTheWall. I would be happy if you can confirm that your attac does no longer work.
Hotfix cffc0e8 did not fix the initial XSS vulnerability, but implemented another XSS vulnerability. I would have made a merge request to fix it, but it's a bit more complicated and I'm not too familiar with Mastodon and the Fediverse.
When fetching messages using the Mastodon API, user submitted HTML tags are encoded using HTML entities. This would prevent XSS by default, but
createTextComponent
inMessageView
converts it to text again, which resolves the HTML entities.apus/src/main/java/swiss/fihlon/apus/ui/view/MessageView.java
Line 67 in ff6bab2
The converted text is then used in the
truncateMessageText
method if the length is bigger than 500 characters. This was the initial XSS vulnerability. Before the hotfix, if the message length was less than 500 characters it would have takenmessage.html()
where the HTML entities are not resolved yet. Since the hotfix replaces it with the convertedmessageText
, XSS is also possible using less than 500 characters now.One way to fix it might be to use
message.html()
everywhere. The issue is, I'm not sure if a malicious mastodon instance could push posts where HTML entities are not encoded. So it might be safer to use some sanitizer.The text was updated successfully, but these errors were encountered: