Skip to content

Instantly share code, notes, and snippets.

@th4s1s

th4s1s/trix-xss.md Secret

Last active December 6, 2024 04:19
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save th4s1s/3921fd9c3e324ad9a3e0d846166e3eb8 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save th4s1s/3921fd9c3e324ad9a3e0d846166e3eb8 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
trix-xss.md

Steps to reproduce

For POC purposes, I tested this on the editor running on the main page at https://trix-editor.org

Navigate to https://trix-editor.org

Next insert some text and add link to the text by clicking on the Link button. Enter the XSS payload into the target link: javascript:alert('XSS') and click the Link button to add the hyperlink.

image

A text with hyperlink should appear inside the document. Now remove the contenteditable from the trix-editor tag in the html so that the link can be clickable.

image

When you click to open this link, the javascript is executed under the context of trix-editor.org and a message box appeared in a new blank tab.

image

Expected behavior

Most editors will sanitize the user input to avoid allowing the user to execute unintended malicious JavaScript code, such as CKEditor, Tiny MCE, to name a few examples

Mitigation

If the link starts starts with javascript: or any other outside of http: or https:, filter or don't open it.

Note

There was a known issue (basecamp/trix#779) but they only fix it by sanitize the pasted link (basecamp/trix#793) not a newly added or edited link.

Environment

  • Trix version: latest
  • Browser (with version): Microsoft Edge, Firefox and Chrome
  • OS/Platform (with version): Windows 11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment