33mestre / pagedown

Automatically exported from code.google.com/p/pagedown
Other
0 stars 0 forks source link

XSS: fails to escape link text in [<svg/onload=alert(1)//]() correctly #34

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
> new Markdown.Converter().makeHtml('[<svg/onload=alert(1)//]()')
→ '<p><a href=""><svg/onload=alert(1)//</a></p>'

This displays an alert in Firefox (XSS). Demo: 
data:text/html;charset=utf-8,<p><a href=""><svg/onload=alert('XSS')//</a></p>

Expected output is:

→ '<p><a href="">&lt;svg/onload=alert(1)//</a></p>'

I.e. the `<` should always be escaped.

Original issue reported on code.google.com by mathias@qiwi.be on 9 Aug 2012 at 1:39

GoogleCodeExporter commented 9 years ago
Luckily, Stack Overflow seems to have an extra layer of protection 
(`sanitizeAndSplitTags`, perhaps?) that prevents XSS attacks like this one. 
However, it would be useful to have this protection for all Pagedown users.

Original comment by mathias@qiwi.be on 9 Aug 2012 at 1:40

GoogleCodeExporter commented 9 years ago
This is absolutely by design.

Markdown allows you to do whatever you want. After all, you might just be using 
it to create your own blog, and you should be able to do whatever you want 
there.

And you didn't even have to go through some strange quote-less onload 
pseudo-exploit -- <script>alert(1)</script> works just as fine.

Of course if you're using Markdown for user-submitted content, you want to 
sanitize. As you said "Luckily, Stack Overflow seems to have an extra layer of 
protection [...] However, it would be useful to have this protection for all 
Pagedown users."

Well guess what, you have it! From the *introduction* of the documentation 
(http://code.google.com/p/pagedown/wiki/PageDown):

It should be noted that Markdown is not safe as far as user-entered input goes. 
Pretty much anything is valid in Markdown, in particular something like 
<script>doEvil();</script>. This PageDown repository includes the two plugins 
that Stack Exchange uses to sanitize the user's input; see the description of 
Markdown.Sanitizer.js below.

Original comment by b...@stackoverflow.com on 9 Aug 2012 at 3:21

GoogleCodeExporter commented 9 years ago
*facepalms* Thanks for your patience!

Original comment by mathias@qiwi.be on 9 Aug 2012 at 3:23