Experimenting on TDWTF has shown that insufficient sanitization is being performed on user posts. This allows users to disguise potentially malicious input as standard components of the Discourse UI. For example:
google.txt (17 KBytes)
The above look like a harmless attachment and mention, but they are really redirects to Google and Bing respectively. Such unsanitized input could be modified to point to potentially harmful sites, causing unwary users to be redirected without warning.
So far nothing more dangerous has been found, but this is still a vulnerability. I suggest the following:
- Any classes which are baked into elements by discourse - to indicate things such as mentions, attachments, etc - should not be permitted in user-generated raw.
- Sanitization should occur as the first step of baking a post.