Cross-site Scripting (XSS) - Reflected in bustle/mobiledoc-kit
May 5th 2021
XSS using bypass of url validation
🕵️♂️ Proof of Concept
i see your code https://github.com/bustle/mobiledoc-kit uses a dependance https://github.com/bustle/mobiledoc-dom-renderer .
This dependency uses for url validation to prevent xss .
But it should be bypassed using bellow payload
With this payload your code will mark it as a safe url .
Vulnerable script is https://github.com/bustle/mobiledoc-dom-renderer/blob/master/lib/utils/sanitization-utils.js
Many project uses your this code to prevent xss .
One of them is Ghostcms https://github.com/TryGhost/Ghost who uses this code for filtering and there i found xss because this code is failed to filter it
I submitted this xss bug also to ghostcms here https://www.huntr.dev/bounties/1-other-TryGhost/Ghost/
xss filter bypass