Flaws in popular WYSIWYG HTML text editors

guest · Jun 26, 2021

‘LEXSS’ injection: How to bypass lexical parsers by abusing HTML parsing logic
Researcher digs deeper into technique that uncovered flaws in popular WYSIWYG HTML text editors
June 24, 2021
https://portswigger.net/daily-swig/...lexical-parsers-by-abusing-html-parsing-logic

A security researcher has penned a deep dive on bypassing lexical parsers with special HTML tags that leverage HTML parsing logic to ultimately execute arbitrary JavaScript code.

Chris Davis, security consultant at Bishop Fox, has previously deployed the hacking technique to unearth high risk cross-site scripting (XSS) vulnerabilities in two popular What-You-See-Is-What-You-Get (WYSIWYG) HTML text editors.

The flaws in TinyMCE (disclosed in August 2020) and Froala (disclosed earlier this month) affected a combined 700,000 websites that incorporated the applications.
Click to expand...

What is lexical parsing?
“Lexical parsing is a very sophisticated way of preventing XSS because it evaluates whether the data is instructions or plaintext before performing additional logic such as blocking or encoding the data,” says Davis in his technical write-up.
Future research
Asked why he pursued this research avenue, Davis tells The Daily Swig: “This type of context state parsing based analysis is so widespread yet relatively uncovered.

“So getting a better understanding of how HTML in general is parsed and how rich-text style editors or sanitization libraries then parse that data and how we can exploit that knowledge was, to me, fascinating.”
Click to expand...

Log in or Sign up

Flaws in popular WYSIWYG HTML text editors

guest Guest

Log in or Sign up

Flaws in popular WYSIWYG HTML text editors

guest Guest

Useful Searches