The researcher @muhaddimu found that during the conversion of `![img](src)` to HTML by [misaka](http://misaka.61924.nl/), the `src` field of the generated `img` tag is not sanitized. It allows the usage of sources like `data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K`. While we were not able to find any browser interpreting this attribute while rendering the page (no alert windows is shown), it can be only triggered by doing a right click on the element and then choosing "Open in a new tab". By doing so, the browser interprets the javascript code in another context than gratipay.com—it's impossible to get user's cookies (in addition of the `HttpOnly` flag) or to make any XHR request to gratipay.com. Since we can't find any direct security implication of this behaviour, this issue was not considered to be a security risk.

Actions:

View on HackerOne

Reported by muhaddix

Vulnerability Details

Technical details and impact analysis

Cross-site Scripting (XSS) - Generic

Hey Sir, I Have found Cross Site Scripting(XSS) Vulnerabilities in updating profile statement, This is Advance XSS Script, You can see it XSS-Gratipay.txt You can also see it live here: https://gratipay.com/~MuhaddiMu/ Steps to produce: 1) Login To Your Account. 2) Click on Edit Statement 3) Copy and Paste the script I provided to you. 'F113916' 4) Save Statement & see it again. See Screenshots I uploaded. 'F113918' 'F113919' User Agent: Chrome and some others Patching: Use Advance XSS Security Thanks! Regards: Muhammad Muhaddis (Cyber Security Researcher)

Report Details

Additional information and metadata

State

Closed

Substate

Informative

Submitted

Weakness

Cross-site Scripting (XSS) - Generic