In Grav, you can preview the file you uploaded by hovering your mouse to the file and clicking the info icon.
The normal preview should be like this:
However, I noticed that it is possible to perform XSS on the filename due to the following HTML Code:
<div>
<img src="/user/pages/02.typography/xss.svg?cropZoom=400,300">
</div>
We can upload a file with a filename of "><img src>
and it will escape the quote for the src
parameter and execute our XSS payload.
Rendered HTML Code:
<div>
<img src="/user/pages/02.typography/">
<img src>
.svg?cropZoom=400,300" />;
</div>
Aside from that, I also found that the meta-content is also vulnerable when returning the error message.
<div>
<ul>
<li>
<strong></strong>
" ">"
<img src>
.svg.meta.yaml doesn't exist
</li>
</ul>
</div>
"><img src>
as filenameA malicious user could execute JS code and target other users of the website by retrieving their details such as Admin-Nonce, IP address, User Agent, Current Page Content, etc.