The export of slides with some Markdown code blocks didn't produce a valid HTML file and the PDF export resulted in some incomplete plain text file, not even a PDF.
Problem:
The slides contain several Markdown code blocks where one contained several script tags. After removing these tags, the export to HTML and PDF worked properly.
Further investigation revealed that the problem can be exploited to do cross-site scripting.
What makes the issue worse, the bs serve development server is not affected, hence the bug is not triggered during the creation of slides but might cause (security) issues later when creating static HTML files. Maybe there is some automated process that creates and deploys slides on the fly.
Example:
title: Script tag test
name: inverse
layout: true
class: center, middle, inverse
---
# Script tag test
---
## Some code
```xml
<p>lorem ipsum</p>
<script type="text/javascript">
// ...
</script>
<script>
// ...
</script><script>alert(1);</script>
<p>dolor sit amet</p>
\```
---
## The end
(To make this work, remove the backslash that escapes the triple backtick, I had to enter it that way to allow Markdown code block in a Markdown code block in this GH issue)
Expected result:
The slides are exported properly, resulting in a valid HTML with escaped script tags and a PDF with the complete slides. XSS must not be possible.
Actual result:
The slides work while being served using bs serve. When exported using bs pdf, the PDF will be a plain text file containing fragments of the slides and surrounding premark.js code. The HTML export (bs export) results in an HTML file which will trigger an alert box when being opened in a browser.
Observation:
The export of slides with some Markdown code blocks didn't produce a valid HTML file and the PDF export resulted in some incomplete plain text file, not even a PDF.
Problem:
The slides contain several Markdown code blocks where one contained several
script
tags. After removing these tags, the export to HTML and PDF worked properly.Further investigation revealed that the problem can be exploited to do cross-site scripting.
What makes the issue worse, the
bs serve
development server is not affected, hence the bug is not triggered during the creation of slides but might cause (security) issues later when creating static HTML files. Maybe there is some automated process that creates and deploys slides on the fly.Example:
(To make this work, remove the backslash that escapes the triple backtick, I had to enter it that way to allow Markdown code block in a Markdown code block in this GH issue)
Expected result:
The slides are exported properly, resulting in a valid HTML with escaped
script
tags and a PDF with the complete slides. XSS must not be possible.Actual result:
The slides work while being served using
bs serve
. When exported usingbs pdf
, the PDF will be a plain text file containing fragments of the slides and surrounding premark.js code. The HTML export (bs export
) results in an HTML file which will trigger an alert box when being opened in a browser.