Discourse: Stored XSS in topics because of whitelisted_generic engine vulnerability

2017-01-12T18:15:47
ID H1:197902
Type hackerone
Reporter skavans
Modified 2017-01-20T23:50:19

Description

Hello!

Steps to reproduce: 1. Paste this payload URL in the topic: http://89.223.28.48/og_image.html?uncache1234 2. Save the post and you will see the XSS will fire {F151911}

Though you now escape the OpenGraph data, the whitelisted_generic onebox engine decodes variables values back at lines: 202 and 207. Then these decoded values are injected in the raw HTML here and here that leads to XSS attack possibility.

Example post with stored XSS inside is: https://try.discourse.org/t/testing-is-in-progress/620 Please let me know if you need some extra information to locate and fix the bug.