Open ghost opened 10 years ago
Do you have an example case?
@acrobat, add javascript:alert('xss') as markdown link then click preview button. click the link in the preview, its a vulnerability!! its not safe to use especially its open to hackers!!
Looks like the above 2 commits prohibit the xss if javascript:alert('xss') is entered in the popup box, however when entering it directly in the editor it still vulnerable when hitting preview.
ikr
@iJoshuaHD @groothuyse My bad. Will re-check this soon.
Any updates in this?
@toopay any updates?
@arall I havent found a bulletproof solution for this yet.
+1 for this. Is a critical issue.
Any news ?
I made the following solution that already mitigates a lot of XSS attacks. So if you are using this library and cannot switch to a better one, do the following:
In the file bootstrap-markdown.js
on line 575 within the function showPreview: function()
, add the following lines:
content = content.replace(/<\/?(script|iframe|object|embed|form)[^>]*>/gi, "");
content = content.replace(/\s*javascript:/gi, "");
content = content.replace(/\s*on\w+="[^"]*"/gi, "");
content = content.replace(/\s*on\w+='[^']*'/gi, "");
content = content.replace(/\s*on\w+=\w+/gi, "");
content = content.replace(/\s*(src|href)\s*=\s*"data:[^"]*"/gi, "");
content = content.replace(/\s*(src|href)\s*=\s*'data:[^']*'/gi, "");
Below is the exact point in the file where the above code should be inserted, between lines with content = typeof callbackContent
and Build preview element
.
(...)
// Set the content based on the callback content if string, otherwise parse value from textarea
content = typeof callbackContent == 'string' ? callbackContent : this.parseContent();
// Protection against XSS attacks on preview mode
content = content.replace(/<\/?(script|iframe|object|embed|form)[^>]*>/gi, "");
content = content.replace(/\s*javascript:/gi, "");
content = content.replace(/\s*on\w+="[^"]*"/gi, "");
content = content.replace(/\s*on\w+='[^']*'/gi, "");
content = content.replace(/\s*on\w+=\w+/gi, "");
content = content.replace(/\s*(src|href)\s*=\s*"data:[^"]*"/gi, "");
content = content.replace(/\s*(src|href)\s*=\s*'data:[^']*'/gi, "");
// Build preview element
replacementContainer.html(content);
(...)
I hope this helps someone after so many years, for those who still use old code in legacy systems.
This markdown editor is vulnerable to xss attacks especially the preview feature.