search

erusev / parsedown

Better Markdown Parser in PHP
https://parsedown.org
MIT License
14.74k stars 1.12k forks source link

Possible XSS injection? #706

Closed gluntn closed 5 years ago

gluntn commented 5 years ago

Preface: I don't know enough about XSS injection, and I've only used the online demo. Just thought I'd share this.

I tried messing around with the script styling: 

Hello there

And by adding a # before the backticks, a script-tag was generated.

#```<script>alert("1")</script>
hello
\```

(minus the backslash) became

<h1\>```<script\>alert(1)</script></h1>
<p>hello\</p>
<pre><code></code></pre>

Is this the correct behaviour?

aidantwoods commented 5 years ago

This is expected behaviour by default (since markdown itself permits HTML), however there is safe-mode if you want to accept user-input safely.

Screenshot 2019-04-03 at 18 15 08
gluntn commented 5 years ago

Nice! Okay, that's good! 😁