🚨 Trix allows Cross-site Scripting via `javascript:` url in a link

The Trix editor, versions prior to 2.1.11, is vulnerable to XSS when pasting malicious code in the link field.

Impact

An attacker could trick the user to copy&paste a malicious javascript: URL as a link that would execute arbitrary JavaScript code within the context of the user's session, potentially leading to unauthorized actions being performed or sensitive information being disclosed.

See https://gist.github.com/th4s1s/3921fd9c3e324ad9a3e0d846166e3eb8

Patches

Update Recommendation: Users should upgrade to Trix editor version 2.1.12 or later.

Workarounds

This is not really a workaround but something that should be considered in addition to upgrading to the patched version. If affected users can disallow browsers that don't support a Content Security Policy, then this would be an effective workaround for this and all XSS vulnerabilities. Set CSP policies such as script-src 'self' to ensure that only scripts hosted on the same origin are executed, and explicitly prohibit inline scripts using script-src-elem.

References

https://gist.github.com/th4s1s/3921fd9c3e324ad9a3e0d846166e3eb8

Credits

This vulnerability was reported by Hackerone researcher https://hackerone.com/lio346?type=user

2.1.11

What's Changed

• Make DOMPurify configurable by @djmb in #1208
• Allow comments in attachments by @djmb in #1214
• Switch from node-sass to sass by @intrip in #1215
• Reintroduce yarn build --watch by @intrip in #1216

New Contributors

• @intrip made their first contribution in #1215

Full Changelog: v2.1.10...v2.1.11

Does any of this look wrong? Please let us know.

See the full diff on Github. The new version differs by 17 commits:

• v2.1.12
• Merge pull request #1218 from basecamp/refactor-xss-fix
• Refactor link XSS patch
• Merge commit from fork
• Switch from JS pattern to DOMPurity.isValidAttribute
• Fix XSS via `javascript:` url in a link
• v2.1.11
• Merge pull request #1216 from basecamp/fix-yarn-start
• Reintroduce `yarn build --watch`
• SCSS: Switch to `compile`
• Merge pull request #1215 from basecamp/switch-to-sass
• Switch from node-sass to sass
• Merge pull request #1214 from basecamp/disable-safe-for-xml
• Allow comments in attachments
• Merge pull request #1208 from basecamp/dom-purify-config
• Fix sanitization checks
• Make DOMPurify configurable

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)