[SECURITY] stored xss in shared text content

**Describe the bug**

FileCodeBox doesn't validate user input and sanitize output in shared text content, results in stored xss vulnerability. This allows attackers to inject and store malicious javascript or html codes, which can be automatically executed in the browsers of users who try to access a codebox.

**PoC**

An attacker can create a text codebox containing arbitrary javascript codes and trick potential victims into accessing it.

![Image](https://github.com/user-attachments/assets/8a84c9eb-76db-4b9d-91f8-5d3e3abc11ff)

Xss script can be triggered on victim's browser immediately after victim click on sharing link or enters share code. There is no chance for victim to inspect its content before accessing a codebox.

![Image](https://github.com/user-attachments/assets/c5316ea0-60c6-4e0c-9764-0dd89ae42a27)

**Affected versions**

<= 2.2

**Additional context**

[CWE-79](https://cwe.mitre.org/data/definitions/79.html)


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

[SECURITY] stored xss in shared text content #351

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

[SECURITY] stored xss in shared text content #351

Description

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions