GHSA-g2g4-47gv-p72v
CryptPad has a Sanitizer Bypass in Diffmarked.js that Allows Arbitrary HTML Injection and Potential XSS
Details
### Summary CryptPad’s HTML sanitizer in Diffmarked.js can be bypassed due to incomplete filtering of restricted tags. Because the sanitizer only validates the src attribute of `<iframe>` `<video>`, and `<audio>` elements, and does not restrict other attributes, an attacker can inject arbitrary HTML through srcdoc. This completely defeats CryptPad’s intended bounce sandboxing and allows link injection or other interactive content inside user-controlled documents.
### Details The sanitizer defines forbidden and restricted tags but treats <iframe> as “restricted” instead of “forbidden”:
https://github.com/cryptpad/cryptpad/blob/0dd3c1f53d56dffb06651b86ead6b9b387920173/www/common/diffMarked.js#L403-L407 The actual enforcement only checks the src attribute, nothing else:
https://github.com/cryptpad/cryptpad/blob/0dd3c1f53d56dffb06651b86ead6b9b387920173/www/common/diffMarked.js#L445-L449
Because only src is validated, adding a benign blob: src but malicious srcdoc results in unrestricted rendering. ### PoC
An attacker can embed arbitrary HTML, including clickable external links, images, or interactive content, completely bypassing CryptPad’s bounce mechanism and sanitization:
```html <iframe src=blob: srcdoc="<a href=https://attacker.com target=_blank>CLICK ME</a>"></iframe> ```
Although CSP is strict, CryptPad exposes several same-origin gadgets that can execute attacker-controlled code.
For example, `jscolor.js` dynamically evaluates user-provided options: https://github.com/cryptpad/cryptpad/blob/0dd3c1f53d56dffb06651b86ead6b9b387920173/www/common/jscolor.js#L65-L71
### Impact Sanitizer bypass, HTML injection and potentially XSS.
Are you affected?
Enter the version of the package you're using.
Affected packages
0 No fixed version published yet for cryptpad (npm). Pin to a known-safe version or switch to an alternative.