search

refactory-id / bootstrap-markdown

Bootstrap plugin for markdown editing
Apache License 2.0
1.99k stars 370 forks source link

vulnerable to xss attacks #98

Open ghost opened 10 years ago

ghost commented 10 years ago

This markdown editor is vulnerable to xss attacks especially the preview feature.

acrobat commented 10 years ago

Do you have an example case?

ghost commented 10 years ago

@acrobat, add javascript:alert('xss') as markdown link then click preview button. click the link in the preview, its a vulnerability!! its not safe to use especially its open to hackers!!

groothuyse commented 9 years ago

Looks like the above 2 commits prohibit the xss if javascript:alert('xss') is entered in the popup box, however when entering it directly in the editor it still vulnerable when hitting preview.

ghost commented 9 years ago

ikr

toopay commented 7 years ago

@iJoshuaHD @groothuyse My bad. Will re-check this soon.

arall commented 7 years ago

Any updates in this?

arall commented 7 years ago

@toopay any updates?

toopay commented 7 years ago

@arall I havent found a bulletproof solution for this yet.

ar-anvd commented 7 years ago

+1 for this. Is a critical issue.

nnachit commented 5 years ago

Any news ?

albertdick commented 1 month ago

I made the following solution that already mitigates a lot of XSS attacks. So if you are using this library and cannot switch to a better one, do the following:

In the file bootstrap-markdown.js on line 575 within the function showPreview: function(), add the following lines:

content = content.replace(/<\/?(script|iframe|object|embed|form)[^>]*>/gi, "");
content = content.replace(/\s*javascript:/gi, "");
content = content.replace(/\s*on\w+="[^"]*"/gi, "");
content = content.replace(/\s*on\w+='[^']*'/gi, "");
content = content.replace(/\s*on\w+=\w+/gi, "");
content = content.replace(/\s*(src|href)\s*=\s*"data:[^"]*"/gi, "");
content = content.replace(/\s*(src|href)\s*=\s*'data:[^']*'/gi, "");

Below is the exact point in the file where the above code should be inserted, between lines with content = typeof callbackContent and Build preview element.

(...)

// Set the content based on the callback content if string, otherwise parse value from textarea
content = typeof callbackContent == 'string' ? callbackContent : this.parseContent();

// Protection against XSS attacks on preview mode
content = content.replace(/<\/?(script|iframe|object|embed|form)[^>]*>/gi, "");
content = content.replace(/\s*javascript:/gi, "");
content = content.replace(/\s*on\w+="[^"]*"/gi, "");
content = content.replace(/\s*on\w+='[^']*'/gi, "");
content = content.replace(/\s*on\w+=\w+/gi, "");
content = content.replace(/\s*(src|href)\s*=\s*"data:[^"]*"/gi, "");
content = content.replace(/\s*(src|href)\s*=\s*'data:[^']*'/gi, "");     

// Build preview element
replacementContainer.html(content);

(...)

I hope this helps someone after so many years, for those who still use old code in legacy systems.