Hi,
This vulnerability occurs when a web application allows users to input HTML content (such as
in an email template) without proper validation or sanitization, leading to the execution of
injected malicious HTML or JavaScript.
I have tried in the class JsonEmailTemplateEdit on onPreCommit when data is getting saved to override and check HTML sanitization but in exlude entitites there is nothing such HTML getting found any other way to check HTML sanitization before saving details.
Hello,
Thank you for reporting a problem! I tried to reproduce your case, but javascript is not executed in the editor. Could you clarify where this is executed?
The result HTML is saved in JsonEmailTemplate entity. It contains the html property. You can check it in onPreCommit method. Or you can override the component to get/set already sanitized values. For instance:
public class ExtGrapesJsNewsletterHtmlEditorImpl extends GrapesJsNewsletterHtmlEditorImpl {
@Override
public String getValue() {
String value = super.getValue();
return sanitize(value);
}
@Override
public void setValue(String value) {
String sanitized = sanitize(value);
super.setValue(sanitized);
}
}
And component registration:
@Bean
public ComponentRegistration extGrapesJsNewsletterHtmlEditorImpl() {
return ComponentRegistrationBuilder.create(GrapesJsNewsletterHtmlEditor.NAME)
.withComponentClass(ExtGrapesJsNewsletterHtmlEditorImpl.class)
.withComponentLoaderClass(GrapesJsNewsletterHtmlEditorLoader.class)
.build();
}
Pay attention that you should check how the default sanitizer will work with template parameters.
Hi,
I had checked with the shared solution but it is not working as we are getting text in form of HTML
Regex is trying to match the pattern inside the actual HTML attribute, but the input string is HTML-encoded.
So when we Decode the HTML entities first, then apply the regex to the decoded string. on Email template screen black or empty screen is displayed also we again click on side panel to add text it is not in clickable mode nothing action happens.
<div style=\"padding:10px\"><p><a href="javascript:alert('XSS')"/>Click Here</a></p></div>
Hi Adnan,
could you share a demo project that reproduces your problem with HTML?. Also, could you clarify where in the application the defined JS code in email template is executed?
Attached is the steps where user is able to execute the script/
Thank you for sharing the steps to reproduce the problem!
I’ve created a GitHub issue: GrapesJsNewsletterHtmlEditor produces HTML with JavaScript code that can be executed in template preview · Issue #4759 · jmix-framework/jmix · GitHub
Hello!
The problem will be fixed by the end of this year. We consider the issue to be not critical, since this vulnerability can only be exploited by users with admin rights to edit the template.