Paragon Initiative Enterprises: Incomplete fix for #181225 (target=_blank vulnerability)

2017-05-04T14:37:13
ID H1:226104
Type hackerone
Reporter cablej
Modified 2018-04-20T18:07:09

Description

Hi,

I believe the fix for #181225 is incomplete in the rules for Airship wysihtml parser rules.

At https://github.com/paragonie/airship/blob/58f96aa0e5002b60e74456502d9bfc9483d77b3d/src/public/js/wysihtml5/parser_rules/advanced_and_extended.js, the 'target' parameter for links is allowed to be anything, while there are no forced 'rel' attributes. Additionally, https://github.com/paragonie/airship/blob/58f96aa0e5002b60e74456502d9bfc9483d77b3d/src/public/js/wysihtml5/parser_rules/simple.js sets 'rel' to only 'nofollow'.

This could be exploited by a user who posts a link with 'target=_blank', who can then change the URL of the opening page. To fix, add 'rel="noopener noreferrer"' to the parser rules.

Thanks.