chris13524
commented
6 years ago Doesn't this make a new browsing context, and nothing can be stolen?
Open colinalford-gsa opened 7 years ago
chris13524
commented
6 years ago Doesn't this make a new browsing context, and nothing can be stolen?
colinalford-gsa
commented
6 years ago @chris13524 I'm not sure what you mean by that. The issue is that a user could inject a script into an input.
Here are the details of the issue from the snyk site I posted above:
marked is a markdown parser and compiler used for rendering markdown content to html. Affected versions of the package allowed the use of data: URIs for all mime types by default potentially opening a door for Cross-site Scripting (XSS) attacks.
Data URIs enable embedding small files in line in HTML documents, provided in the URL itself. Attackers can craft malicious web pages containing either HTML or script code that utilizes the data URI scheme, allowing them to bypass access controls or steal sensitive information.
An example of data URI used to deliver javascript code. The data holds
<script>alert('XSS')</script>tag in base64 encoded format.[xss link](data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K)
Here's a conference video that explains and shows the two errors in marked, starting at 8:10.
chris13524
commented
6 years ago My bad. It seems that by linking the page, you can steal data (alert(document.cookie)). But when you reload the page afterwards, the alert is now empty. Odd.
We found a cross-site scripting vulnerability with SimpleMDE via the marked package. Details here: https://snyk.io/test/npm/simplemde
Snyk has provided a fix and created a PR on marked: https://github.com/chjj/marked/commit/cd2f6f5b7091154c5526e79b5f3bfb4d15995a51
However, marked does not appear to be actively maintained.
It might be necessary to use a forked version of marked with the fix.