XSS in Neos 8.3.3

Hello together,

i’m using Neos 8.3.3 with UI 8.3.0. And i’m having several findings where an editor can inject script using properties.

I figured out, that this is possible with every property e.g.:

  properties:
    'title':
      type: string
      defaultValue: 'Enter headline'
      ui:
        label: 'Title'
        reloadIfChanged: true
        inlineEditable: true
        inspector:
          group: 'headlineElement'

And where i’m rendering it with fusion that way:

prototype(my.Vendor:YouTube) < prototype(Neos.Neos:ContentComponent) {
    title = Neos.Neos:Editable {
        property = 'title'
    }
   renderer = afx`
      {props.title}
   `
}

But i found out that when i’m using the In-Place Edit, it is rendered like this:

<div class="neos-contentcollection">
     &lt;script&gt;alert(1)&lt;/script&gt;
</div>

Using the UI Editor, it looks like the following:

<div class="neos-contentcollection">
    <script>alert(1)</script>
</div>

Is there something i do wrong, or a way to prevent this? I’m having some parts in my template where i can’t use the In-Place edit, such as a Title or Menu Items.

Thanks!

In the SEO package we use ${String.stripTags(value)} for critical values.

That works pretty good, thanks!

Is there a clean way to do that within the properties?

Not working:

test = Neos.Neos:Editable {
	property = ${String.stripTags('title')}
}

renderer afx`
   <div class="test">{props.test}</div>
`

Output:

<div class="test"><script>alert('Oops');</script></div>

Working:

title = Neos.Neos:Editable {
   property = 'title'
}
renderer = afx`
    <div class="test2">{String.stripTags(props.title)}</div>
`

Output:

<div class="test2">alert('Oops');</div>

For editables you have to be careful as the editable itself generates tags to make the text editable.
So use the helper either with a condition or only for non editable properties.

Perfect, thanks a lot @sebobo!