This is a demo application that demonstrates proper sanitization of raw html entered via a rich text editor
- install node v20
- run
npm ci - run
node app.js - visit http://localhost:3000/sanitized.html to test the sanitized input
- visit http://localhost:3000/unsanitized.html to test the unsanitized input
-
Run the following curl command:
curl --request POST \ --url http://localhost:3000/unsanitzed \ --header 'Content-Type: application/json' \ --data '{ "richText": "<img src='\''x'\'' onerror='\''alert(1)'\''>" }'
-
After running the command copy the id that was returned and paste it in the post query parameter of the unsanitzed.html url:
http://localhost:3000/unsanitized.html?post=your-id-goes-hereYou should see an alert popup appear. This verifies that you have exploited the sxss vulnerability.
-
Repeat step 2 this time using the sanitized url:
http://localhost:3000/sanitized.html?post=your-id-goes-hereYou should no longer see the alert popup. This verifies that the injected javascript has been sanitized.
All content in these repositories including code has been provided by IBM under the associated open source software license and IBM is under no obligation to provide enhancements, updates, or support. IBM developers produced this code as an open source project (not as an IBM product), and IBM makes no assertions as to the level of quality nor security, and will not be maintaining this code going forward.