search

showdownjs / showdown

A bidirectional Markdown to HTML to Markdown converter written in Javascript
http://www.showdownjs.com/
MIT License
14.26k stars 1.56k forks source link

There exists an xss #864

Closed cinexsoft closed 3 years ago

cinexsoft commented 3 years ago

I don't exactly know how it's going as I'm just beginning to understand XSS.

I just saw this YouTube video which I've linked https://youtu.be/lG7U3fuNw3A and tried it.

Basically I have this textarea that takes the input and directly sends it through the converter and then add the generated html to the body.

Input:

<noscript><p title="</noscript>"<img src=x onerror=alert(1)>
cinexsoft commented 3 years ago

I'm on v1.9.1

cinexsoft commented 3 years ago

I realised that showdown doesn't handle for XSS, so I'll just add a sanitizer as stated in the previous issues.