search

Smileyt / python-markdown2

Automatically exported from code.google.com/p/python-markdown2
Other
0 stars 0 forks source link

Javascript injection #30

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago 
Quotation marks are not filtered from attributes, you can inject javascript
events into elements. Here is an example:

from markdown2 import markdown
test = """
![a][b]
[b]: http://static.reddit.com/reddit.com.header.png"
onload="alert('javascript injected')
"""
print markdown(test, safe_mode=True)

The result is:
<p><img src="http://static.reddit.com/reddit.com.header.png"
onload="alert('javascript injected')" alt="a" /></p>

Expected result is:
<p><img src="http://static.reddit.com/reddit.com.header.png&quot;
onload=&quot;alert('javascript injected')" alt="a" /></p>

Original issue reported on code.google.com by c2531...@tyldd.com on 29 Sep 2009 at 5:29

GoogleCodeExporter commented 8 years ago 
Note: either the wiki here or by a mistake of cut 'n paste the input to trigger 
this
bug is slightly wrong in the main bug description. The input must be:

{{{{Python}
from markdown2 import markdown
test = """
![a][b]
[b]: http://static.reddit.com/reddit.com.header.png" onload="alert('javascript 
injected')
"""
print markdown(test, safe_mode=True)
}}}

Original comment by tre...@gmail.com on 30 Sep 2009 at 6:00

GoogleCodeExporter commented 8 years ago 
Test case added (cd test && python test.py issue30) and fix in r212. I'll do a
markdown2 1.0.1.15 release shortly for this.

Original comment by tre...@gmail.com on 30 Sep 2009 at 6:21