Headline
CVE-2023-30609: Merge pull request from GHSA-xv83-x443-7rmw · matrix-org/matrix-react-sdk@bf182bc
matrix-react-sdk is a react-based SDK for inserting a Matrix chat/VoIP client into a web page. Prior to version 3.71.0, plain text messages containing HTML tags are rendered as HTML in the search results. To exploit this, an attacker needs to trick a user into searching for a specific message containing an HTML injection payload. No cross-site scripting attack is possible due to the hardcoded content security policy. Version 3.71.0 of the SDK patches over the issue. As a workaround, restarting the client will clear the HTML injection.
@@ -14,11 +14,12 @@ See the License for the specific language governing permissions and limitations under the License. */
import React from "react"; import React, { ReactElement } from "react"; import { mocked } from "jest-mock"; import { render, screen } from "@testing-library/react"; import { IContent } from "matrix-js-sdk/src/models/event";
import { topicToHtml } from "…/src/HtmlUtils"; import { bodyToHtml, topicToHtml } from "…/src/HtmlUtils"; import SettingsStore from "…/src/settings/SettingsStore";
jest.mock(“…/src/settings/SettingsStore”); @@ -29,7 +30,7 @@ const enableHtmlTopicFeature = () => { }); };
describe("HtmlUtils", () => { describe("topicToHtml", () => { function getContent() { return screen.getByRole(“contentinfo”).children[0].innerHTML; } @@ -62,3 +63,47 @@ describe(“HtmlUtils", () => { expect(getContent()).toEqual('<b>pizza</b> <span class="mx_Emoji” title=":pizza:">🍕</span>’); }); });
describe("bodyToHtml", () => { function getHtml(content: IContent, highlights?: string[]): string { return (bodyToHtml(content, highlights, {}) as ReactElement).props.dangerouslySetInnerHTML.__html; }
it("should apply highlights to HTML messages", () => { const html = getHtml( { body: "test **foo** bar", msgtype: "m.text", formatted_body: "test <b>foo</b> bar", format: "org.matrix.custom.html", }, [“test”], );
expect(html).toMatchInlineSnapshot(`"<span class="mx_EventTile_searchHighlight">test</span> <b>foo</b> bar"`); });
it("should apply highlights to plaintext messages", () => { const html = getHtml( { body: "test foo bar", msgtype: "m.text", }, [“test”], );
expect(html).toMatchInlineSnapshot(`"<span class="mx_EventTile_searchHighlight">test</span> foo bar"`); });
it("should not respect HTML tags in plaintext message highlighting", () => { const html = getHtml( { body: "test foo <b>bar", msgtype: "m.text", }, [“test”], );
expect(html).toMatchInlineSnapshot(`"<span class="mx_EventTile_searchHighlight">test</span> foo <b>bar"`); }); });
Related news
### Impact Plain text messages containing HTML tags are rendered as HTML in the search results. To exploit this, an attacker needs to trick a user into searching for a specific message containing an HTML injection payload. No cross-site scripting attack is possible due to the hardcoded content security policy. ### Patches Version 3.71.0 of the SDK patches over the issue. ### Workarounds Restarting the client will clear the HTML injection.