Bookstack: Stored Cross-Site Scripting

Created on 26 Oct 2017 · 10Comments · Source: BookStackApp/BookStack

For Bug Reports

BookStack Version (Found in settings, Please don't put 'latest'): BookStack v0.18.4
PHP Version: 7.0
MySQL Version: Ver 14.14 Distrib 5.7.20, for Linux (x86_64)

Expected Behavior

Filter out JS code. Any author can write Cross-site scripting payloads and cause issues for the users/

Current Behavior

JS code is not filtered within the page creation

Steps to Reproduce

Create a book
Create a page
While editing the page, choose to edit the source code and add <script>alert(1)</script>
Visit the page (alert box should pop up)

Docs Update Bug

Source

prodigysml

👎1

All 10 comments

Doesn't work on me... it's fine while I produce ur steps.

ibnbay00 on 1 Nov 2017

Hi @ProDigySML, Thanks for opening this issue. Please could you confirm the editor you're using? Markdown or WYSIWYG?

ssddanbrown on 6 Nov 2017

@ssddanbrown The editor shouldn't really matter much to be honest (I think I was using the WYSIWYG one though). There should be some server side sanitisation in place, ensuring such bugs don't occur. Maybe something like HTML encoding the user's input may be a good way to fix it :)

prodigysml on 21 Nov 2017

Huh, Looks like someone filed CVE for this:
https://www.cvedetails.com/cve/CVE-2017-1000462/

ssddanbrown on 20 Feb 2018

😄1

I cannot replicate this with Firefox 58.0.1 and Bookstack v0.20 when using the WYSIWYG editor.

sorvani on 21 Feb 2018

I even tried putting it in the header. and putting it in with the "Source Code" button.
selection_999 659
selection_999 658
selection_999 657
selection_999 656
selection_999 655
selection_999 654
selection_999 653

sorvani on 21 Feb 2018

👍1

Ok, let's analyze this a little closer ... I tried to reproduce this in version 0.18.0 without success, but it seems that the sanitation is done by javascript in the editor (tiny mce 4.6.2 in BookStack 0.18.0) because the script tags get remove immediately after closing the sourcecode panel. After manually manipulating the editors content before saving does remove the script-tags too, atleast they are not in the page when i edit it again.

Since this is a javascript based sanitation this might fail depending on browser and version, which, in my opinion, is not related to BookStack.

lommes on 21 Feb 2018

Thanks everyone for the research above.
It's likely this was raised with the Markdown editor in use since JavaScript is not escaped in that.
Whether this is an issue or not really depends on how someone is using BookStack. For my own uses I quite like the idea of being able to add a little JS if required but I understand it's not ideal for non-trusted environments.

I know the easy answer here is 'Make it an option' but I like to explore all ideas and opinions otherwise 'Make it an option' is always the answer.

ssddanbrown on 5 Mar 2018

Marked for next release. Plan to have an .env var to toggle <script> tag escaping on page render. Will default to on (Escaped) by default. Will run on render instead of on save to allow option toggling at any point.

ssddanbrown on 12 Mar 2018

For reference, Setting ALLOW_CONTENT_SCRIPTS=true in the .env will prevent escaping.

ssddanbrown on 17 Mar 2018

Was this page helpful?

0 / 5 - 0 ratings