heronyang / pagedown

Automatically exported from code.google.com/p/pagedown
Other
0 stars 0 forks source link

Treat `:` as `:` in URLs #33

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
Fixes an XSS vulnerability reported by Mario Heiderich 
(http://twitter.com/0x6d6172696f).

This change ensures that…

   new Markdown.Converter().makeHtml('**_[Free iPad Here!](javascript:alert(1))_**')

…has the same result as…

   new Markdown.Converter().makeHtml('**_[Free iPad Here!](javascript:alert(1))_**')

Original issue reported on code.google.com by mathias@qiwi.be on 9 Aug 2012 at 12:18

Attachments:

GoogleCodeExporter commented 9 years ago
Although a better approach might be to get the attribute value (i.e. the URL), 
set it as the innerHTML of a dummy element’s innerHTML, then retrieve its 
innerText/textContent (to unescape all HTML entities) to get the real URL. Then 
replace any problematic characters, and afterwards escape special characters as 
HTML entities. (Only `&`, `<`, and `"` would need to be escaped as part of a 
quoted attribute value, wrapped in double quotes.)

Original comment by mathias@qiwi.be on 9 Aug 2012 at 12:22

GoogleCodeExporter commented 9 years ago
I can't read that user's tweets (they're protected), but as I've already 
explained at http://code.google.com/p/pagedown/issues/detail?id=34, there are 
no XSS vulnerabilities. Markdown just allows you to do anything you want. As a 
webmaster, it's *your* responsibility to sanitze user-entered input (and we 
even include the tool for that in this repo).

Original comment by b...@stackoverflow.com on 9 Aug 2012 at 3:30