sophiebits
commented
8 years ago :( thanks. ugh. are there any popular libraries that don't have this problem? looks like showdown doesn't try to defend against XSS.
Closed matt- closed 8 years ago
sophiebits
commented
8 years ago :( thanks. ugh. are there any popular libraries that don't have this problem? looks like showdown doesn't try to defend against XSS.
matt-
commented
8 years ago https://github.com/jonschlinkert/remarkable looked good to me, but I can look over a few alts.
matt-
commented
8 years ago Do you think I should also add a ticket for the https://github.com/facebook/react gh-page branch?
sophiebits
commented
8 years ago No thanks, I'll get both.
sophiebits
commented
8 years ago (React change in facebook/react#6961.)
The markdown library (marked) used in this demo does not properly handle HTML entities (even with the sanitize option set to true). This leads to a stored XSS in this demo.
The marked project also appears to be abandoned. I suggest using something else in the demo. I know this is not intended to be production code, but people will follow this as an example. You can also see this in action on the main https://facebook.github.io/react/ page under "A Component Using External Plugins" as a "self xss"
POC:
Run the project and submit a comment with the following markdown:
References:
The pull request I opened to them (a long time ago): https://github.com/chjj/marked/pull/592
A full writeup on the actual issue: https://snyk.io/blog/marked-xss-vulnerability/
The Node Security Advisory: https://nodesecurity.io/advisories/101
As well as RetireJS: http://retirejs.github.io/retire.js/