[forums] [possible security bug!] UTF-16 HTML Malformation

ZZC12345 · *Last edited by CST1229 (Oct. 5, 2022 13:53:20)*

My browser / operating system: Windows NT 10.0, Chrome 106.0.0.0, No Flash version detected

In DjangoBB, if you post any (possible, tested with U+1F4F1) UTF-16 character inside a [code] tag, it will corrupt the HTML of that forum page, causing browsers to render the page contents after weirdly.

There may be some way to exploit this using <script> tags – I don't have enough time to find an exploitation, but it may be possible.
Scratch's version of DjangoBB (the forum software used by Scratch) is still on Python 1 or something (we're on v3.13 now!), and has some Django security bugs. See my discussion on this topic about upgrading DjangoBB for some of old Django and Python versions' bugs.

Tested with the following characters (all UTF-16, suggesting that the bug has to do with UTF-16):

U+10437
U+1F4F1
U+10438

Expected:
UTF-16 characters in a [code] tag to render normally as any other character does

[insert UTF-16 character here]

In HTML:

<div class="code"><pre>[character]</pre></div>

Result:
HTML:

<div class="code"><pre>
<!-- *untruncated <pre> and <div> tags wreaking the rest of the page* -->

Screenshot:

Actual proof:
WARNING: The rest of this page will render incorrectly, but contents will still be readable. Please post if you need me to remove the demo.

Last edited by ZZC12345 (Oct. 5, 2022 12:11:55)

Discuss Scratch