Open Ry0taK opened 5 years ago
sup abbr
👋 Hey! We've recently opened a bug bounty against this issue, so if you want to get rewarded 💰 for fixing this vulnerability 🕷, head over to https://huntr.dev!
Hello while bug bounting this issue, I noticed the filter is implemented, you should use
htmlDecode : "|on*"
while starting editor, this should be preferred method, that way it protects against code injection in all elements, like divs, img, ...., not just abbr & sup
XSS can also be achived with many more elements:
<div style="position:fixed;left:0;top:0;width:10000px;height:10000px;" onmouseover="alert('div')">div</div>
sent PR updating README to make it clear
I think this can be closed
After looking deeper I realized filter is inefective for self clossing tags, will look into it
Should work properly now
Summary
Because there are no attribute filters in the
abbr
andsup
tags, an attacker can trigger XSS on websites which is using editor.md.CVE
CVE-2019-14653
Payloads
This will execute JavaScript when you move the mouse on any part of the page.
Images