JSFiddle
, Gliffy
, Otter
and Tldraw
embeds lack sufficient input validation. Every one of them can be abused to achieve a stored XSS on a main application domain.
This XSS triggers for everyone viewing the document.
PoC file is different for each vulnerable embed. See PoCs in Occurrences
section
import document
XSS triggers for everyone viewing this document
These vulnerabilities are possible due to a combination of two factors:
^
at the beginning.props.attrs.href
as src
for resulting iframe
For example, a line
javascript:...//https://jsfiddle.net/a/b
would be processed by JSFiddle
embed and result in
<iframe src="javascript:...//https://jsfiddle.net/a/b" ... >
which leads to payload being executed in the context of the main domain.
^
in the beginning of the RegExpsprops.attrs.href
in the responses