Description
A privileged admin user who can edit an affected landing page can store arbitrary HTML/JavaScript in an HTML block, and the public page renders it with html_safe and no output escaping.
Technical description
This issue lets any admin who can edit an affected landing page store arbitrary HTML and JavaScript in an HTML block. The block is then rendered back through Decidim::ContentBlocks::HtmlCell#html_content without a sanitization boundary, so the script executes later in visitor's browsers.


Impact
- A user with landing-page editing rights for an affected scope can persist JavaScript that executes in visitor's browsers on that page.
- Because exploitation already requires privileged administrative access, the practical risk is lower than a participant-controlled or unauthenticated stored XSS. It still creates a browser-execution primitive in a trusted admin-editable surface.
Patches
See decidim/decidim#16451
Workarounds
Do not give admin permissions to non-trustful users.
Reference
Stored XSS
Credits
This issue was discovered in a security audit organized by the Decidim Association and made by Radically Open Security against Decidim financed by NGI.
References
Description
A privileged admin user who can edit an affected landing page can store arbitrary HTML/JavaScript in an
HTML block, and the public page renders it withhtml_safeand no output escaping.Technical description
This issue lets any admin who can edit an affected landing page store arbitrary HTML and JavaScript in an
HTML block. The block is then rendered back throughDecidim::ContentBlocks::HtmlCell#html_contentwithout a sanitization boundary, so the script executes later in visitor's browsers.Impact
Patches
See decidim/decidim#16451
Workarounds
Do not give admin permissions to non-trustful users.
Reference
Stored XSS
Credits
This issue was discovered in a security audit organized by the Decidim Association and made by Radically Open Security against Decidim financed by NGI.
References