Description

Gogs: Stored XSS via data URI in issue comments

Summary

A Stored Cross-site Scripting (XSS) vulnerability exists in the comment and issue description functionality. The application's HTML sanitizer explicitly allows data: URI schemes, enabling authenticated users to inject arbitrary JavaScript execution via malicious links.

Details

The vulnerability is located in internal/markup/sanitizer.go. The application uses the bluemonday HTML sanitizer but explicitly weakens the security policy by allowing the data URL scheme:

// internal/markup/sanitizer.go
func NewSanitizer() {
    sanitizer.init.Do(func() {
        // ...
        // Data URLs
        sanitizer.policy.AllowURLSchemes("data")
        // ...
    })...
Show more

While the Markdown renderer rewrites relative links (mitigating standard Markdown [link](data:...) attacks), Gogs supports Raw HTML input. Raw HTML anchor tags bypass the Markdown parser's link rewriting and are processed directly by the sanitizer. Since the sanitizer is configured to allow data: URIs, payloads like <a href="data:text/html..."> are rendered as-is.

PoC

Create a file named exploit.md in a repository.

Add the following content (Raw HTML):

<a href="data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4=">Click me for XSS</a>

Commit and push the file.

Navigate to the file in the Gogs web interface.

Click the "Click me for XSS" link.

Result: An alert box with "XSS" appears, executing the JavaScript payload.

Impact

This is a Stored XSS vulnerability. Any user who views the malicious comment and clicks the link will execute the attacker-supplied JavaScript in their browser context. This allows attackers to:

Steal authentication cookies and session tokens.

Perform arbitrary actions on behalf of the victim (e.g., modifying repositories, adding collaborators).

Redirect users to malicious sites.

Mitigation

Aliases

References