search

PrismJS / prism

Lightweight, robust, elegant syntax highlighting.
https://prismjs.com
MIT License
12.28k stars 1.3k forks source link

[SECURITY] autolinker plugin is vulnerable to XSS #1054

Closed Rob--W closed 7 years ago

Rob--W commented 7 years ago

The autolinker plugin enables XSS on websites that uses Prism.js to highlight user-generated content.

For example, edit plugins/autolinker/index.html and put the following string in one of the code blocks, e.g. at line 38. The plugin will turn the text into a link and enable XSS (in this example, hover over the link to see a dialog).

x"onmouseover="alert('XSS')"@x.xx

There are ways to increase the impact of this vulnerability (i.e. instant exploitation), but to avoid putting unpatched websites at risk by unskilled trolls, I've only shown the above simple example.

Rob--W commented 7 years ago

I have attached a patch to PR #1051.

Rob--W commented 7 years ago

1051 was merged.