search

instance-oom / ngx-markdown-editor

Angular markdown editor based on ace editor
http://lon-yang.github.io/markdown-editor/
Apache License 2.0
174 stars 48 forks source link

Preview Panel XSS with img tags #78

Closed perryflynn closed 3 years ago

perryflynn commented 4 years ago

It is possible to inject a XSS into the preview panel because it's renders HTML:

<img src="la" onerror="alert('hi');">

Reproducable on http://lon-yang.github.io/markdown-editor/

instance-oom commented 4 years ago

You can change this option(markedjsOpt.sanitize) to true to prevent. e.g.

options = {
  markedjsOpt: {
    sanitize: true
  }
}
<md-editor [options]="options"></md-editor>
perryflynn commented 4 years ago

If true, sanitize the HTML passed into markdownString with the sanitizer function. Warning: This feature is deprecated and it should NOT be used as it cannot be considered secure. Instead use a sanitize library, like DOMPurify (recommended), sanitize-html or insane on the output HTML!

https://marked.js.org/using_advanced#options

Is it possible to just run the Angular sanirize function on the markdown code first and then parse the markdown?

https://angular.io/api/platform-browser/DomSanitizer#sanitize

instance-oom commented 4 years ago

I will try this or just using DOMPurify, then override the sanitize option

instance-oom commented 3 years ago

Solved