CryptPad HTML Sanitizer Bypass Vulnerability in Diffmarked.js Allowing Arbitrary HTML Injection

A vulnerability exists in CryptPad versions prior to 2026.2.0, where the HTML sanitizer in Diffmarked.js can be bypassed due to inadequate filtering of attributes in restricted tags. The sanitizer only validates the src attribute of <iframe>, <video>, and <audio> elements, leaving other attributes unchecked. This oversight allows an attacker to inject arbitrary HTML through srcdoc, undermining CryptPad's bounce sandboxing and enabling link injection or other interactive content in user-controlled documents. The issue arises because the sanitizer classifies <iframe> as 'restricted' rather than 'forbidden', leading to enforcement that only checks the src attribute. By combining a benign blob: src with a malicious srcdoc, unrestricted rendering can be achieved.

Impact

Exploitation of this vulnerability bypasses the HTML sanitizer, allowing for arbitrary HTML injection that could lead to cross-site scripting (XSS) attacks.

Reproduction

To reproduce this vulnerability, create a document in CryptPad version 2026.2.0 or earlier. Insert an <iframe> element with a benign blob: source and a malicious srcdoc attribute containing injected HTML, such as a link to an external site. The injected content will be rendered without restriction, bypassing CryptPad's security measures.

Remediation

Users can upgrade to CryptPad version 2026.2.0 or later, where this vulnerability has been fixed.