GHSA-4r4f-gg25-rmg5
plone.app.textfield: Stored XSS by spoofing mime type
Details
### Impact
A stored XSS affecting RichText fields. RichTextValue.output returns the raw, unsanitized stored value whenever the stored mimeType equals the outputMimeType. Because the safe-HTML output type (`text/x-html-safe`) is the type that signifies "already sanitized", any value whose stored mimeType equals it bypasses the safe_html transform entirely on render. The transform itself is sound — it correctly strips `on*` event-handler attributes and `javascript:/data:` URIs; the defect is that it is never invoked for these values. The unsanitized value is then emitted via `tal:content="structure ..."`, which performs no escaping, so the payload executes in the viewer's browser.
This can be a problem when a RichText field is wrongly defined in code with a `mimeType` and `outputMimeType` that are the same, or when the REST API is used to the same effect.
### Patches The problem has been patched:
* For Plone 6.0, upgrade `plone.app.textfield` to 2.0.2. * For Plone 6.1, upgrade `plone.app.textfield` to 3.0.2. * For Plone 6.2, upgrade `plone.app.textfield` to 4.0.1.
### Workarounds There is no known workaround.
Are you affected?
Enter the version of the package you're using.
Affected packages
0 Fixed in: 2.0.2 pip install --upgrade 'plone-app-textfield>=2.0.2' 3.0.0 Fixed in: 3.0.2 pip install --upgrade 'plone-app-textfield>=3.0.2' 4.0.0 Fixed in: 4.0.1 pip install --upgrade 'plone-app-textfield>=4.0.1'