Description

JSFiddle, Gliffy, Otter and Tldraw embeds lack sufficient input validation. Every one of them can be abused to achieve a stored XSS on a main application domain.
This XSS triggers for everyone viewing the document.

Proof of Concept

PoC file is different for each vulnerable embed. See PoCs in Occurrences section

Steps to reproduce

• Save PoC content to a file
• Upload this file to Outline via import document

XSS triggers for everyone viewing this document

Technical details

These vulnerabilities are possible due to a combination of two factors:

1. RegExps are missing ^ at the beginning.
2. Components use props.attrs.href as src for resulting iframe

For example, a line

javascript:...//https://jsfiddle.net/a/b

would be processed by JSFiddle embed and result in

<iframe src="javascript:...//https://jsfiddle.net/a/b" ... >

which leads to payload being executed in the context of the main domain.

Mitigation recommendations

• Add ^ in the beginning of the RegExps
• Do not reflect props.attrs.href in the responses