Helpy 2.8.0 - Stored XSS in knowledgebase Doc body rendering

Description

Helpy 2.8.0 contains a stored cross-site scripting vulnerability in the knowledgebase Doc rendering logic. An authenticated attacker with admin or agent editor privileges can persist arbitrary HTML or JavaScript in the body field of a knowledgebase Doc and cause it to execute in the browser of any user who views the rendered article, including unauthenticated visitors.

The vulnerability exists in DocsHelper#sanitize_doc_content, which marks rendered Doc content as trusted with .html_safe without performing sanitization. The affected data flow is: attacker-controlled body input is stored in the database, converted to HTML by RDiscount, which preserves raw HTML tags, then passed to sanitize_doc_content, marked .html_safe, and emitted through ERB templates with <%= ... %>. Because Rails auto-escaping is bypassed, malicious HTML or JavaScript stored in the Doc body is rendered verbatim.

Vulnerability

Source → sink path

1. Source persistence: attacker-controlled body parameter accepted by:

• Admin::DocsController#create and #update (web form, requires verify_editor before_action)

• API::V1::Docs POST /api/v1/docs and PATCH /api/v1/docs/:id (requires admin or agent role via X-Token header)

• No input sanitization is performed before Doc.save / Doc.update_attributes.

2. Storage: Doc#body (PostgreSQL text column) stores the raw payload.

3. Markdown-to-HTML conversion (app/models/doc.rb:89-92):

def content
  c = RDiscount.new(self.body)
  c.to_html
end

def content
  c = RDiscount.new(self.body)
  c.to_html
end

def content
  c = RDiscount.new(self.body)
  c.to_html
end

def content
  c = RDiscount.new(self.body)
  c.to_html
end

RDiscount passes raw HTML tags in the Markdown source through to the output unchanged. A <script> block in body survives to_html verbatim.

4. Misleadingly-named sink (app/helpers/docs_helper.rb:29-31):

def sanitize_doc_content(content)
  "#{content}".html_safe
end

def sanitize_doc_content(content)
  "#{content}".html_safe
end

def sanitize_doc_content(content)
  "#{content}".html_safe
end

def sanitize_doc_content(content)
  "#{content}".html_safe
end

.html_safe instructs Rails ERB not to HTML-escape the string. No sanitization whatsoever is performed despite the method name.

5. Render in public and admin views — four templates call <%= sanitize_doc_content(@doc.content) %>:

• app/views/docs/show.html.erb:50 — public, unauthenticated access

• app/views/admin/internal_docs/show.html.erb:39 — internal admin view

• app/themes/nordic/views/docs/show.html.erb:56 — Nordic theme (public)

• app/themes/singular/views/docs/show.html.erb:34 — Singular theme (public)

Relevant code:

• app/helpers/docs_helper.rb:29-31

• app/models/doc.rb:89-92

• app/controllers/admin/docs_controller.rb:24-33 (create) and 35-58 (update)

• app/controllers/api/v1/docs.rb:46-60 (POST) and 80-95 (PATCH)

• app/views/docs/show.html.erb:50

• app/views/admin/internal_docs/show.html.erb:39

• app/themes/nordic/views/docs/show.html.erb:56

• app/themes/singular/views/docs/show.html.erb:34

PoC

Reproduction used in the validation environment

Environment: http://localhost:3000 running via docker compose up from the repo root. Seed credentials: admin@test.com / 12345678

1. Log in as admin at http://localhost:3000/en/users/sign_in using admin@test.com / 12345678.

2. Navigate to http://localhost:3000/admin/docs/new?lang=en.

   The ?lang=en parameter is required — without it the category dropdown is not rendered and the form submits with no category assigned.

3. Fill in the form:

   • Title: Stored XSS PoC

   • Category: Getting Started

   • Body: click the </> (Code View) button in the Summernote toolbar and paste the payload directly into the HTML editor:

     <script>alert(document.cookie)</script>

     <script>alert(document.cookie)</script>

     <script>alert(document.cookie)</script>

     <script>alert(document.cookie)</script>

   • Status: Published

4. Click Save Changes. The application stores the raw <script> tag verbatim in docs.body with no sanitization.

5. Note the doc ID from the redirect URL (e.g. /admin/docs/7/edit) and open the public article as an unauthenticated visitor (incognito window):

   http://localhost:3000/en/docs/7-stored-xss-poc

   http://localhost:3000/en/docs/7-stored-xss-poc

   http://localhost:3000/en/docs/7-stored-xss-poc

   http://localhost:3000/en/docs/7-stored-xss-poc

   The alert(document.cookie) dialog fires immediately on page load, confirming JavaScript execution in the visitor's browser context.

Evidence of Exploitation

• Video of Exploitation

  

• Static Evidence as an anonymous user visiting the document.

  

Our security policy

We have reserved the ID CVE-2026-40230 to refer to this issue from now on.

Disclosure policy

System Information

• Helpy

• Version 2.8.0

• Operating System: Any

References

Github Repository: https://github.com/helpyio/helpy
Security: https://github.com/helpyio/helpy/security

Mitigation

There is currently no patch available for this vulnerability.

Credits

The vulnerability was discovered by Oscar Uribe from Fluid Attacks' Offensive Team using the AI SAST Scanner.