search

nuxt-modules / mdc

MDC supercharges regular Markdown to write documents interacting deeply with any Vue component.
MIT License
198 stars 22 forks source link

MDC component is vulnerable to XSS #249

Open thannaske opened 2 months ago

thannaske commented 2 months ago

It seems like the MDC component is not caring about XSS and is therefore vulnerable against "poisoned" content.

Reproduction

<MDC value='<script type="text/javascript">alert("XSS");</script>' tag="article" />

CleanShot 2024-08-21 at 19 45 40@2x

farnabaz commented 1 month ago

Thanks @thannaske Scripts should be banned, do you mind creating a simple reproduction? In my tests it works as expected, mybe I'm missing something in my tests!!

Screenshot 2024-09-12 at 12 57 46
robinkloeckner commented 1 month ago

Thanks @thannaske Scripts should be banned, do you mind creating a simple reproduction? In my tests it works as expected, mybe I'm missing something in my tests!! Screenshot 2024-09-12 at 12 57 46

Got the same result.