ApostropheCMS Sanitize-HTML Package Allowed Tags Bypass Vulnerability in Textarea and Option Elements

A vulnerability in ApostropheCMS versions through 4.28.0, stemming from a regression in the sanitize-html package, allows for a bypass of the allowedTags filter in textarea and option elements. This issue arises because the sanitizer incorrectly assumes that htmlparser2 does not decode entities in these elements. In reality, htmlparser2 10.x does decode entities, enabling the injection of arbitrary tags, including those with XSS payloads, by exploiting entity encoding. The vulnerability affects non-default configurations where option or textarea tags are allowed, a common scenario in form builders and CMS platforms.

Impact

Exploitation of this vulnerability leads to a complete bypass of the allowedTags filter, allowing any HTML tag to be injected through option or textarea elements. This could result in stored cross-site scripting vulnerabilities, particularly in applications that sanitize user-submitted HTML and allow these tags. The injected tags could include event handlers that execute scripts, such as stealing session cookies or authentication tokens.

Reproduction

To reproduce this vulnerability, use ApostropheCMS 4.28.0 with the sanitize-html package version 2.17.2. Include 'option' or 'textarea' in the allowedTags configuration. Then, inject entity-encoded HTML, such as a script tag, into an option or textarea element. The sanitizer will decode the entities and bypass the allowedTags filter, allowing the injected HTML to be executed.

Remediation

Update to ApostropheCMS version 4.29.0 and sanitize-html version 2.17.3, both of which address this vulnerability.