Description

Gogs has DOM-based XSS via Milestone Name on New Issue Page

Summary

The fix for GHSA-vgjm-2cpf-4g7c (DOM-based XSS via milestone selection) was only applied to templates/repo/issue/view_content.tmpl but not to templates/repo/issue/new_form.tmpl. An attacker can store an HTML/JavaScript payload in a milestone name, and when any user opens the New Issue page and interacts with the milestone dropdown, the payload executes in their browser via Semantic UI's preserveHTML behavior.

Details

GHSA-vgjm-2cpf-4g7c was patched by adding | Sanitize (bluemonday HTML tag stripping) to milestone name rendering in view_content.tmpl. However, the same milestone dropdown exists in new_form.tmpl and was not patched.

In new_form.tmpl, milestone names are rendered with Go's default auto-escaping ({{.Name}}), which converts < to < etc. This prevents direct HTML injection. However, when the browser renders the DOM, the text content of the element contains the decoded original payload (e.g., <img src=x onerror=alert(1)>).

Semantic UI 2.4.2's dropdown component has preserveHTML: true as the default setting. When a user selects a dropdown item, the internal set.text() method calls jQuery's .html() with the item's text content. This re-parses the decoded text as HTML, creating the injected element and triggering the JavaScript event handler.

PoC

poc.zip Please extract the uploaded compressed file before proceeding

docker compose up --build

Impact

Stored DOM XSS: Any user with write access to a repository can create a malicious milestone. Any other user who visits the New Issue page and interacts with the milestone dropdown will have arbitrary JavaScript executed in their browser session.

Session hijacking: The attacker can steal session cookies, perform actions as the victim, or escalate privileges.

Mitigation

Aliases

References