XSS vulnerability in GraphiQL implementation

The value of the GET parameter query is returned unescaped in the main block of inline JavaScript. Without Content Security Policy (CSP), one is able to break out of the config variable and execute arbitrary JavaScript.

It appears that [`graphiql_workspace.html.eex`](https://github.com/absinthe-graphql/absinthe_plug/blob/38ce447375f035ea6355bb2687b1145cbc538bdd/lib/absinthe/plug/graphiql/graphiql_workspace.html.eex#L52) renders the page with the `query_string` variable. This template is loaded by [`Absinthe.Plug.GraphiQL`](https://github.com/absinthe-graphql/absinthe_plug/blob/35b0661b24474cec1b857e8d2cc04f01077026d3/lib/absinthe/plug/graphiql.ex#L142) which [attempts to escape](https://github.com/absinthe-graphql/absinthe_plug/blob/35b0661b24474cec1b857e8d2cc04f01077026d3/lib/absinthe/plug/graphiql.ex#L241) the query parameter. It is trivial to bypass this escaping with a backslash.

# Steps to Reproduce

1. Browse `/api/v2_alpha/graphiql?query=xxx\%27});confirm(document.domain);%20var%20x=new%20graphiqlWorkspace.AppConfig(%22x%22,{//`.
2. Observe the JavaScript alert dialog with the value of `document.domain`.

# Credits
40826d uncovered this vulnerability and wrote the initial draft of this bug report

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

XSS vulnerability in GraphiQL implementation #275

Steps to Reproduce

Credits

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

XSS vulnerability in GraphiQL implementation #275

Description

Steps to Reproduce

Credits

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions