Site wide stored cross site scripting via Client Side Template Injection

[ghost]

📊 Metadata *

Bounty URL: https://huntr.dev/bounties/5-other-monicahq/monica/

⚙️ Description *

I fixed a client side template injection (csti) vulnerability in monica that was due to vue.js and blade’s {{ code }} syntax. I simply filtered out the curly brackets ( {{ and }} ).

💻 Technical Description *

I added a simple regex preg_replace() to get rid of those pesky double curly brackets using /{{|}}/. This makes use of the ‘alternation’ ( | ) operator to find any of the substrings ‘{{‘ or ‘}}’ and replace them with ‘’ (nothing).

🐛 Proof of Concept (PoC) *

Click ‘add someone’, then set their name to the javascript payload surrounded by double curly brackets e.g. {{ alert(‘xss’) }} and click ‘add’. This will cause the code to run.

🔥 Proof of Fix (PoF) *

Add another person with the same name, the code doesn’t run.

note: this change doesn’t affect already created ‘people’.

👍 User Acceptance Testing (UAT)

N/A

[huntr-helper]

👋 Hello, @dependabot-preview[bot]. @bolshoytoster has opened a PR to us with a fix for a potential vulnerability in your repository. To view the vulnerability, please refer to the bounty URL in the first comment, above. If you want this fix in your repository, a PR will automatically open once you comment:

@huntr-helper - LGTM

---

☎️ Need further support?

Come and join us on our community Discord!

---

❓@dependabot-preview[bot] - want more fixes like this?

Copy this snippet into your README.md for more vulnerability fixes in the future:

[![huntr](https://cdn.huntr.dev/huntr_security_badge_mono.svg)](https://huntr.dev)