Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
{
"type": "bug",
"message": "Prevents a malicious display name from running scripts in rich text mentions",
"issue_origin": "github",
"issue_number": null,
"domain": "core",
"bullet_points": [],
"created_at": "2026-06-30"
}
14 changes: 13 additions & 1 deletion web-frontend/modules/core/editor/mention.js
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,17 @@ import regexp from 'markdown-it-regexp'

const USER_ID_REGEXP = /@(\d+)/

// Escape user-controlled text before it's interpolated into the raw HTML
// string below, which is rendered with v-html. Without this, a malicious
// display name could inject markup and execute a stored XSS.
const escapeHtml = (value) =>
String(value)
.replace(/&/g, '&')
.replace(/</g, '&lt;')
.replace(/>/g, '&gt;')
.replace(/"/g, '&quot;')
.replace(/'/g, '&#39;')

export const parseMention = (users, loggedUserId = null) =>
regexp(USER_ID_REGEXP, (match, utils) => {
const user = users.find((user) => user.user_id === parseInt(match[1]))
Expand All @@ -11,9 +22,10 @@ export const parseMention = (users, loggedUserId = null) =>
if (user.user_id === loggedUserId) {
className += ' rich-text-editor__mention--current-user'
}
const name = escapeHtml(user.name)
// NOTE: Keep this in sync with the @tiptap/extension-mention
// https://github.com/ueberdosis/tiptap/blob/main/packages/extension-mention/src/mention.ts
return `<span class="${className}" data-id="${user.user_id}" data-label="${user.name}" data-type="mention">@${user.name}</span>`
return `<span class="${className}" data-id="${user.user_id}" data-label="${name}" data-type="mention">@${name}</span>`
} else {
return `@${match[1]}`
}
Expand Down
45 changes: 45 additions & 0 deletions web-frontend/test/unit/core/editor/mention.spec.js
Original file line number Diff line number Diff line change
@@ -0,0 +1,45 @@
import { parseMarkdown } from '@baserow/modules/core/editor/markdown'

describe('rich-text mention rendering', () => {
const XSS_PAYLOAD = '"><img src=x onerror=alert(document.domain)>'

test('escapes a malicious workspace user name (stored XSS)', () => {
const users = [{ user_id: 1, name: XSS_PAYLOAD }]

const html = parseMarkdown('Hello @1', { workspaceUsers: users })

// The payload must not survive as a live element, nor break out of the
// data-label attribute into the span's content.
expect(html).not.toContain('<img')
expect(html).not.toContain('data-label=""')
expect(html).toContain('&lt;img')

// Parsing the output confirms no injected element ever materializes; the
// payload stays inert text inside the single mention span.
const doc = new DOMParser().parseFromString(html, 'text/html')
expect(doc.querySelector('img')).toBeNull()
const mention = doc.querySelector('span[data-type="mention"]')
expect(mention).not.toBeNull()
expect(mention.getAttribute('data-id')).toBe('1')
expect(mention.textContent).toBe(`@${XSS_PAYLOAD}`)
})

test('renders a normal workspace user name unchanged', () => {
const users = [{ user_id: 1, name: 'Jane Doe' }]

const html = parseMarkdown('Hello @1', { workspaceUsers: users })

expect(html).toContain('data-label="Jane Doe"')
expect(html).toContain('>@Jane Doe</span>')
expect(html).toContain('data-type="mention"')
})

test('preserves ampersands in names without double-escaping the markup', () => {
const users = [{ user_id: 2, name: 'Tom & Jerry' }]

const html = parseMarkdown('Ping @2', { workspaceUsers: users })

expect(html).toContain('Tom &amp; Jerry')
expect(html).not.toContain('Tom & Jerry')
})
})
Loading