CryptPad has a Sanitizer Bypass in Diffmarked.js that Allows Arbitrary HTML Injection and Potential XSS

Summary

CryptPad’s HTML sanitizer in Diffmarked.js can be bypassed due to incomplete filtering of restricted tags. Because the sanitizer only validates the src attribute of <iframe> <video>, and <audio> elements, and does not restrict other attributes, an attacker can inject arbitrary HTML through srcdoc. This completely defeats CryptPad’s intended bounce sandboxing and allows link injection or other interactive content inside user-controlled documents.

Details

The sanitizer defines forbidden and restricted tags but treats as “restricted” instead of “forbidden”:

https://github.com/cryptpad/cryptpad/blob/0dd3c1f53d56dffb06651b86ead6b9b387920173/www/common/diffMarked.js#L403-L407 The actual enforcement only checks the src attribute, nothing else:

https://github.com/cryptpad/cryptpad/blob/0dd3c1f53d56dffb06651b86ead6b9b387920173/www/common/diffMarked.js#L445-L449

Because only src is validated, adding a benign blob: src but malicious srcdoc results in unrestricted rendering.

PoC

An attacker can embed arbitrary HTML, including clickable external links, images, or interactive content, completely bypassing CryptPad’s bounce mechanism and sanitization:

<iframe src=blob: srcdoc="<a href=https://attacker.com target=_blank>CLICK ME</a>"></iframe>

Although CSP is strict, CryptPad exposes several same-origin gadgets that can execute attacker-controlled code.

For example, jscolor.js dynamically evaluates user-provided options: https://github.com/cryptpad/cryptpad/blob/0dd3c1f53d56dffb06651b86ead6b9b387920173/www/common/jscolor.js#L65-L71

Impact

Sanitizer bypass, HTML injection and potentially XSS.