Stored XSS attack: Link preview in channel messages

dhorak_instawork · February 14, 2024, 7:38pm

[Problem/Question]
There is a vulnerability that exists on the “hyperlink card” (preview of the link posted into a channel) when you send a link to someone’s else in a conversation.

An attacker can manipulate the value of the “og:url” meta tag with a JavaScript payload, e.g. javascript:alert(), which result in the XSS being clicklable on victim’s side.

A PoC can be found in the Reproduction Steps section

Is there any way how put in place Content Security Policy and/or to set Content-Type and X-Content-Type-Options headers to ensure that browsers interpret the responses in without this vulnerability?.

[UIKit Version]
@sendbird/chat: 4.10.4
@sendbird/uikit-react: 3.9.0

[Reproduction Steps]

Open the sample app, https://stackblitz.com/edit/sendbird-react-uikit-base-app?file=src%2FApp.jsx
Send https://testdiog10.000webhostapp.com/t.html into any chat
Click on the link when preview rendered
JS alert is executed to showcase the Stored XSS vulenerability.

[Frequency]
All the time

[Current impact]
It has been report a high severity potential Stored XSS attack by a security advisor.

Miyoung_Han · March 25, 2024, 6:45pm

We released the fix in v3.9.3

github.com

sendbird/sendbird-uikit-react/blob/main/CHANGELOG.md#v393-jan-5-2024

# Changelog - v3

## [v3.13.3] (Mar 22, 2024)

### Features
* Added a `renderMenuItem` to the `MessageMenu` component
  * How to use?
  ```tsx
  <GroupChannel
    renderMessageContent={(props) => (
      <MessageContent
        {...props}
        renderMessageMenu={(props) => (
          <MessageMenu
            {...props}
            renderMenuItem={(props) => {
              const {
                className,
                onClick,
                dataSbId,

This file has been truncated. show original

Stored XSS attack: Link preview in channel messages

Not finding what you need