bookwyrm
HTML input sanitizer is vulnerable to Mutation XSS. The payload could be stored and displayed on the homepage of the website (path /#feed
or /#discovery
) making it widely affects all users and the main website.
Edit a book description:
// PoC
<math><mtext><table><mglyph><style><![CDATA ><img src></style><img title="]]></mglyph><img	src=1	onerror=alert('Pwned')>">
Access to the /#feed
(homepage of logged-in user) or /#discovery
(which contains the book payload) will trigger the malicious code and pop up a Pwned
alert.
The vulnerable base on the weakness of HTMLParser
that it is not guaranteed to successfully parse all kinds of string input. You could find another replacement sanitizer, such as DOMPurify to achieve more accuracy and still support HTML.