Possible XSS bug #1255

New Issue

OVERLORD · 2026-02-05T00:25:06+03:00

OVERLORD commented

2026-02-05 00:25:06 +03:00

Originally created by @billford on GitHub (Jul 10, 2019).

Originally assigned to: @ssddanbrown on GitHub.

Describe the bug
Create or edit a page
Steps To Reproduce
Steps to reproduce the behavior:

create or edit a page
add some text hit enter
add malicious or even innocuous javascript
you get the pop up on save or any refresh.

Expected behavior
This should be filtered and sanitized so it doesn't actually execute.

Screenshots
Attached

Your Configuration (please complete the following information):

Exact BookStack Version (Found in settings): BookStack v0.26.2
PHP Version: 7.2.19
Hosting Method (Nginx/Apache/Docker): Apache

Additional context
I have none.

Originally created by @billford on GitHub (Jul 10, 2019). Originally assigned to: @ssddanbrown on GitHub. **Describe the bug** Create or edit a page **Steps To Reproduce** Steps to reproduce the behavior: 1. create or edit a page 2. add some text hit enter 3. add malicious or even innocuous javascript 4. you get the pop up on save or any refresh. **Expected behavior** This should be filtered and sanitized so it doesn't actually execute. **Screenshots** Attached ![Screen Shot 2019-07-10 at 1 36 16 PM](https://user-images.githubusercontent.com/2289667/60991587-cf103800-a318-11e9-8c21-d574379c34cf.png) ![Screen Shot 2019-07-10 at 1 36 02 PM](https://user-images.githubusercontent.com/2289667/60991189-05998300-a318-11e9-8ae8-fcf62d47f3de.png) **Your Configuration (please complete the following information):** - Exact BookStack Version (Found in settings): BookStack v0.26.2 - PHP Version: 7.2.19 - Hosting Method (Nginx/Apache/Docker): Apache **Additional context** I have none.

OVERLORD added the 🚀 Priority 🔒 Security labels 2026-02-05 00:25:06 +03:00

OVERLORD closed this issue

2026-02-05 00:25:07 +03:00

OVERLORD commented

2026-02-05 00:25:14 +03:00

@ssddanbrown commented on GitHub (Jul 10, 2019):

Thanks for raising this @billford. Looks like my xpath queries were a bit weak. I've applied c732970f6e which should cover this while increasing the range of checks in tests.

I have just deployed BookStack v0.26.3 to distribute this update.

Thanks again!

@ssddanbrown commented on GitHub (Jul 10, 2019): Thanks for raising this @billford. Looks like my xpath queries were a bit weak. I've applied c732970f6e19f14a1107b7429cbf387bcb7848b3 which should cover this while increasing the range of checks in tests. I have just deployed BookStack [v0.26.3](https://github.com/BookStackApp/BookStack/releases/tag/v0.26.3) to distribute this update. Thanks again!

OVERLORD commented

2026-02-05 00:25:16 +03:00

@billford commented on GitHub (Jul 11, 2019):

I don't think this is quite fixed (but this may be meant as a feature so I'm not sure)

iframe tags in the edit page still allow for XSS style entries. Interestingly enough that works on both the preview and when you save it. Screenshots attached

@billford commented on GitHub (Jul 11, 2019): I don't think this is quite fixed (but this may be meant as a feature so I'm not sure) iframe tags in the edit page still allow for XSS style entries. Interestingly enough that works on both the preview and when you save it. Screenshots attached ![Screen Shot 2019-07-11 at 9 37 01 AM](https://user-images.githubusercontent.com/2289667/61055527-b0b14780-a3bf-11e9-81fe-e09505813e3c.png) ![Screen Shot 2019-07-11 at 9 36 50 AM](https://user-images.githubusercontent.com/2289667/61055528-b149de00-a3bf-11e9-828b-26a3cc01026c.png)

OVERLORD commented

2026-02-05 00:25:18 +03:00

@billford commented on GitHub (Jul 12, 2019):

Mutated XSS works as well:

<a a=" but only in the editor function.

@billford commented on GitHub (Jul 12, 2019): Mutated XSS works as well: <a a="<img src=1 onerror='alert(1)'> but only in the editor function.

OVERLORD commented

2026-02-05 00:25:21 +03:00

@ssddanbrown commented on GitHub (Jul 15, 2019):

Thanks for the extra finds @billford. Have marked for the next release to ensure I don't forget to patch these cases but will probably tackle sooner than that.

@ssddanbrown commented on GitHub (Jul 15, 2019): Thanks for the extra finds @billford. Have marked for the next release to ensure I don't forget to patch these cases but will probably tackle sooner than that.

OVERLORD commented

2026-02-05 00:25:25 +03:00

@ssddanbrown commented on GitHub (Aug 7, 2019):

I have just deployed v0.26.4 which adds extra escaping for iframes with JavaScript URL's. I also realised that iframes with base64 data URLs, that include script tags, could be used to fire JS so I also check for those.

I'm not as worried about the editor due to the lower frequency but I'll leave this open as a reminder to address it.

@ssddanbrown commented on GitHub (Aug 7, 2019): I have just deployed [v0.26.4](https://github.com/BookStackApp/BookStack/releases/tag/v0.26.4) which adds extra escaping for iframes with JavaScript URL's. I also realised that iframes with base64 data URLs, that include script tags, could be used to fire JS so I also check for those. I'm not as worried about the editor due to the lower frequency but I'll leave this open as a reminder to address it.

OVERLORD commented

2026-02-05 00:25:27 +03:00

@ssddanbrown commented on GitHub (Dec 12, 2020):

Since the MD editor display was sandboxed in 7cc17934a8 I'll close this off.

@ssddanbrown commented on GitHub (Dec 12, 2020): Since the MD editor display was sandboxed in 7cc17934a87714fb7a01009f8c8dc059f0577b2d I'll close this off.

Sign in to join this conversation.

Branches Tags

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/BookStack#1255