Summary

An insufficient content sanitization in WeRSS’s (https://github.com/rachelos/we-mp-rss/) Article module allows authenticated users to perform Stored Cross-Site Scripting (XSS) attacks. The vulnerability stems from multiple security failures in the content processing pipeline that form a complete exploit chain.

Impact

we-mp-rss ≤1.4.8 (latest)

Details

The vulnerability consists of 2 chained security failures:

Vulnerability #1: HTML Sanitization Return Value Not Used

File: tools/fix.py Line: 7

The fix_html() function calls htmltools.clean_html() to sanitize dangerous HTML tags and attributes, but the return value is not assigned back to the variable, causing all sanitization operations to be completely ineffective.

def fix_html(content:str):
    from core.content_format import format_content
    from tools.mdtools.md2html import convert_markdown_to_html
    from tools.html import htmltools

    # ✗ Called clean_html but didn't use the return value
    htmltools.clean_html(
        content,
        remove_attributes=[{'src': ''}],
        remove_ids=['content_bottom_interaction', 'activity-name', 'meta_content']
    )

    content = format_content(content, content_format='markdown')
    content = convert_markdown_to_html(content)
    return content

Expected behavior: Remove <script> tags, <style> tags, HTML comments, and dangerous elements. Actual behavior: All dangerous content passes through unchanged.

Vulnerability #2: Markdown Converter Allows HTML Tags

File: tools/mdtools/md2html.pyLines: 52, 494

The Python Markdown library is configured with allow_html=True, which preserves raw HTML tags without any escaping or filtering.

class MarkdownToHtmlConverter:
    def __init__(self, config: Optional[Dict[str, Any]] = None):
        # ...
        self.allow_html = self.config.get('allow_html', True)  # ✗ Allows HTML by default

# Default configuration
DEFAULT_CONFIG = {
    'remove_images': False,
    'remove_links': False,
    'add_css_class': True,
    'pretty_print': True,
    'allow_html': True  # ✗ Explicitly set to True
}

This allows attackers to embed malicious HTML code within content:

# Normal Markdown content
This is regular text.
<img src=x onerror=alert(1)>  ← HTML tags will be preserved
<script>alert('XSS')</script> ← Script tags will also be preserved

PoC