Stored XSS via Installment Message in Emails

Vulnerability: Stored Cross-Site Scripting (XSS)

Location: Email generation using Installments (Workflows/Posts)

Source: Installment.message field (controllable by sellers via the workflow/post editor, likely submitted to /api/internal/workflows).

Sink:

1. The message_with_inline_syntax_highlighting_and_upsells method in /app/app/models/installment.rb:321 processes the raw message. While it performs syntax highlighting within <pre><code> blocks, it does not appear to sanitize arbitrary HTML elsewhere in the message.
2. In the view /app/app/views/one_off_mailer/email_using_installment.html.erb:4, the result of this method is marked .html_safe before being passed to Rinku.auto_link, and the final output is rendered using raw.

Exploitation:

1. A seller creates or edits a workflow/post (Installment).
2. In the message body, the seller includes an XSS payload outside of any <pre><code> block, e.g., <img src=x onerror=alert('XSS-Installment')>.
3. The seller triggers an email to be sent using this installment (e.g., via OneOffMailer).
4. The recipient opens the email, and the malicious script executes within their email client.

Impact: Allows sellers to execute arbitrary JavaScript in the context of email recipients viewing posts/workflow emails.

Recommendation: Apply robust HTML sanitization (e.g., using Rails' sanitize helper with appropriate configuration) to the message content before performing syntax highlighting or marking it html_safe. Ensure only safe HTML tags and attributes are allowed in the final output.

[msrkp]

again valid, but renders only in email client