search

inacho / bootstrap-markdown-editor

Markdown editor for Bootstrap with preview, image upload support, shortcuts and other features.
MIT License
294 stars 73 forks source link

HTML tag can not filter XSS #13

Closed MyKings closed 8 years ago

MyKings commented 8 years ago

Input text box, enter the following:

http://www.example.com/<script>alert(document.cookie)</script>

Here is the test code, click preview trigger : )

<!DOCTYPE html>
<head>
    <meta charset="UTF-8">
    <title>editor</title>
</head>
<link href="/static/css/bootstrap.min.css" rel="stylesheet">
<link href="/static/css/bootstrap-markdown-editor.css" rel="stylesheet">
<script src="/static/js/jquery-1.7.2.min.js"></script>
<script src="/static/js/bootstrap.min.js"></script>
<script src="/static/js/ace.js"></script>
<script src="/static/js/bootstrap-markdown-editor.js"></script>
<body>
<div id="myEditor" name="myEditor">http://www.example.com/&lt;script&gt;alert(document.cookie)&lt;/script&gt;</div>
<script language="javascript">
  $('#myEditor').markdownEditor({
  preview: true,
  onPreview: function (content, callback) {
    $('#myEditor').html(content);
  }
});
</script>
</body>
</html>
inacho commented 8 years ago

It depends of the markdown parser. The example in this repository uses the javascript library Marked to parse the markdown to html only as demonstration. You should use a server-side parser with the filters you need.