Gutenberg: xss attacks possibilities with html block

Created on 9 Jul 2018  路  3Comments  路  Source: WordPress/gutenberg

Describe the bug
i just try to made js block for gutenberg i face sanitation issue . There is much more opportunity for xss attack. so i just want to know how we solve sanitization issue before saving into database.
To Reproduce
Steps to reproduce the behavior:

  1. Go to https://gist.github.com/mrsinguyen/857487d874cc12c073d6348d785ba093#file-xss2-txt
  2. Copy script in raw form
  3. Paste into core/html block
  4. Save
  5. View post after save
  6. You will see js xss attack code in body . This code will add images, iframes, link, video tags also attack with cookies .
  7. I want solution sanitization js , html code before saving into database.

Expected behavior
sanitize and validate the code before saving in to db.

Vedio
https://www.useloom.com/share/754df9cfe3244e8298351b675b855cee
Desktop (please complete the following information):

  • OS: Window 10
  • Browser [chrome]
  • Version [ 67.0.3396.99 ]
[Feature] Blocks [Type] Bug

Most helpful comment

  • Requires administrator role (specifically unfiltered_html).
  • No different than pasting the same stuff in HTML tab of the classic editor.
  • Gutenberg doesn't allow any more than what鈥檚 already possible through the REST API alone.

Per these notes, closing this.

All 3 comments

I tested with WordPress 4.9.7 and Gutenberg 3.2.0 and found that the post looked blank with the following errors in the console after following the steps provided. Notes: in step 4 I clicked "Save Draft" and in step 5 I simply refreshed the page.

TypeError: Cannot read property 'push' of undefined
react-dom.min.82e21c65.js:110

Uncaught (in promise) TypeError: Cannot read property 'push' of undefined
index.js?ver=1531165082:2

screen shot 2018-07-09 at mon jul 9 2 50 00 pm
Seen at http://alittletestblog.com/wp-admin/post.php?post=13887&action=edit running WordPress 4.9.7 and Gutenberg 3.2.0 using Chrome 67.0.3396.99 on macOS 10.13.5.

Additional notes:

  • Requires administrator role (specifically unfiltered_html).
  • No different than pasting the same stuff in HTML tab of the classic editor.
  • Gutenberg doesn't allow any more than what鈥檚 already possible through the REST API alone.
  • Requires administrator role (specifically unfiltered_html).
  • No different than pasting the same stuff in HTML tab of the classic editor.
  • Gutenberg doesn't allow any more than what鈥檚 already possible through the REST API alone.

Per these notes, closing this.

Was this page helpful?
0 / 5 - 0 ratings