PT-2026-32058 · Packagist · J0K3R/Graby

Published

2026-03-31

·

Updated

2026-03-31

CVSS v4.0

2.1

Low

VectorAV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P

Summary

Graby's cleanupXss() function configures htmLawed with conflicting settings: safe=1 (which removes <iframe>) combined with 'elements' => '*+iframe-meta' (which re-enables <iframe>). htmLawed does not sanitize the srcdoc attribute, allowing injection of arbitrary JavaScript that executes when the content is rendered via |raw in templates.

Root Cause

src/Graby.php lines 1038-1048:
php
htmLawed($html, [
  'safe' => 1,          // removes <iframe>
  'elements' => '*+iframe-meta', // re-adds <iframe>, overrides safe=1
  'deny attribute' => 'style',  // srcdoc is NOT denied
]);
The safe=1 and +iframe combination is a conflict: safe mode is designed to strip dangerous elements, but the elements override re-enables <iframe> without also blocking the dangerous srcdoc attribute.

Proof of Concept

Input to cleanupXss():
html
<iframe srcdoc="&lt;script&gt;alert(document.domain)&lt;/script&gt;"></iframe>
Output (unchanged — htmLawed passes it through):
html
<iframe srcdoc="&lt;script&gt;alert(document.domain)&lt;/script&gt;"></iframe>
When rendered via {{ content|raw }} in a template, srcdoc executes in an about:srcdoc frame with the same origin as the page. Confirmed via Puppeteer/Chromium headless: alert(document.domain) fires.
Validated on Wallabag (which uses Graby) via Docker: entry created via API with iframe-only content body triggers Readability failure → falls through to cleanupXss() path.

Impact

  • Stored XSS in any application rendering Graby-sanitized content via |raw
  • In Wallabag: affects both authenticated views and public share pages (unauthenticated)
  • No CSP headers in default Wallabag config — no secondary mitigation

Suggested Fix

Either remove +iframe from the elements config to keep iframes blocked:
php
'elements' => '*-iframe-meta',
Or explicitly deny the srcdoc attribute:
php
'deny attribute' => 'style srcdoc',

Credit

Discovered by @tikket1, 2026-03-25. Redirected from wallabag/wallabag advisory by @j0k3r.

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

GHSA-3H6J-9X8M-RG3G

Affected Products

J0K3R/Graby