Skip to content

fix: address XSS vulnerability with note text#702

Open
emersion wants to merge 1 commit intomainfrom
note-xss
Open

fix: address XSS vulnerability with note text#702
emersion wants to merge 1 commit intomainfrom
note-xss

Conversation

@emersion
Copy link
Copy Markdown
Member

@emersion emersion commented Dec 19, 2025
edited
Loading

Notes can contain HTML in their body text. The HTML was directly piped into the DOM in 3 spots, resulting in an XSS vulnerability. The XSS vulnerability can be used to e.g. perform authenticated API calls on behalf of another user by making a privileged user open a shared variant by sending them a link.

Here are the 3 spots where the note text is used:

  • In the notes view, when displaying the body text in the editor main view's SVG with d3. The d3 html() method is used.
  • In the notes view, when computing the size of the body text. The innerHTML field is set.
  • In the note edit dialog, when passing the text to ngx-editor. ngx-editor doesn't perform any sanitization on its own.

Fix all of these by adding DomSanitizer.sanitize() calls.

Here is a PoC for the XSS vulnerability:
networkGraphic(16).json

@emersion emersion requested a review from aiAdrian as a code owner December 19, 2025 09:17
@emersion emersion force-pushed the note-xss branch 2 times, most recently from 6594b05 to fa4fabb Compare December 19, 2025 09:20
This was referenced Dec 19, 2025
Open
Open
@emersion
fix: address XSS vulnerability with note text
c3144fd 
Notes can contain HTML in their body text. The HTML was directly
piped into the DOM in 3 spots, resulting in an XSS vulnerability.
The XSS vulnerability can be used to e.g. perform authenticated
API calls on behalf of another user by making a privileged user
open a shared variant by sending them a link.

Here are the 3 spots where the note text is used:

- In the notes view, when displaying the body text in the editor
  main view's SVG with d3. The d3 html() method is used.
- In the notes view, when computing the size of the body text.
  The innerHTML field is set.
- In the note edit dialog, when passing the text to ngx-editor.
  ngx-editor doesn't perform any sanitization on its own.

Fix all of these by adding DomSanitizer.sanitize() calls.

Signed-off-by: Simon Ser <contact@emersion.fr>
aiAdrian
aiAdrian requested changes Jan 5, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@aiAdrian aiAdrian left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The proposed change will no longer provide the same behaviour... Colours are no longer be visible in the note dialog.

Before change

image

After change (this PR)

image

@aiAdrian
Copy link
Copy Markdown
Contributor

aiAdrian commented Jan 5, 2026

chrome-capture-2026-01-05.webm

@emersion
Copy link
Copy Markdown
Member Author

emersion commented Jan 6, 2026

Indeed, good catch!

Hm, this is going to be tricker to fix… It doesn't seem like there is a way to convince DomSanitizer to allow styles…

@emersion emersion moved this to Awaiting merge in Board PI 18 Jan 13, 2026
@emersion emersion self-assigned this Jan 13, 2026
@emersion emersion moved this from Awaiting merge to In Progress in Board PI 18 Jan 13, 2026
@louisgreiner louisgreiner added area:view Actual components ("visual" stuff) code-quality Technical enhancements labels Jan 29, 2026
@emersion emersion moved this to In Progress in Board PI 19 Feb 17, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@aiAdrian aiAdrian aiAdrian requested changes

Requested changes must be addressed to merge this pull request.

Assignees

@emersion emersion

Labels

area:view Actual components ("visual" stuff) code-quality Technical enhancements

Projects

Board PI 18
Status: In Progress
Board PI 19
Status: In Progress

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@emersion @aiAdrian @louisgreiner