CVE-2022-1730: Stored XSS on drawio in drawio

Sumary

Draw io has a feature to put links on a text, due to a bad sanitization it allows to put javascript:// scheme on a anchor tag which allows to execute javascript code

Steps to reproduce

1. Create a text box and set word size to 50
2. Click with the rigth button and “Edit link”
3. Put asdf://test.com
4. Click with the rigth button again and “Edit data”
5. On the “link” attribute put javascript:javascript://%0aalert(document.domain)
6. Export the page as URL
7. Click on the link

Impact

It also affects confluence as its available as an app on the marketplace, POC video: https://youtu.be/RHevZOx1nhc