search

sparksuite / simplemde-markdown-editor

A simple, beautiful, and embeddable JavaScript Markdown editor. Delightful editing for beginners and experts alike. Features built-in autosaving and spell checking.
https://simplemde.com
MIT License
9.89k stars 1.12k forks source link

there was a xss both in img and a label #721

Open nanshihui opened 5 years ago

nanshihui commented 5 years ago

when We enter some strings,such as: </textarea><img/id="confirm(/xss/)"/alt="/"src="/"onerror=eval(id)>'"> or you can use [asdasd](javascript:alert&#40;&#49;&#41;)

image

The editor will execute XSS payload

When others use this editor, it is easy to get administrator rights by using XSS attack.

atodorov commented 5 years ago

@WesCossick do you have an ETA on this issue ? If I want to provide a fix which files/functions do I have to look at ?

hhaidar commented 5 years ago

https://github.com/sparksuite/simplemde-markdown-editor/issues/243#issuecomment-178242811 https://github.com/sparksuite/simplemde-markdown-editor/issues/435#issuecomment-248178738 https://github.com/sparksuite/simplemde-markdown-editor/issues/657#issuecomment-355477352

I'm not sure there's going to be a fix for this based on the comments above (which is absolutely insane and dangerous).

Some people have gotten around this by setting sanitize: true in marked (https://github.com/sparksuite/simplemde-markdown-editor/issues/243#issuecomment-313448049) or providing their own renderer in options.renderPreview.

marekdedic commented 5 years ago

I am not the author, but found this very helpful: https://github.com/showdownjs/showdown/wiki/Markdown's-XSS-Vulnerability-(and-how-to-mitigate-it)

gseastream commented 4 years ago

After reading all the different issues and the helpful link above, I came up with my own solution to this problem that so far seems to do exactly what I wanted. Since the sanitize option of marked is apparently deprecated now, this uses the renderPreview option of simplemde mentioned above, and is a pretty easy fix using DOMPurify:

function setupMDE(elem=null) {
    var opt = {
        renderingConfig: {
            codeSyntaxHighlighting: true
        }
    };
    if (elem != null) {
        opt["element"] = elem;
    };

    var simplemde = new SimpleMDE(opt);

    // need to use the default rendering routine
    simplemde.options.previewRender = function(plainText) {
        return DOMPurify.sanitize(simplemde.markdown(plainText));
    };
};

I discovered that using the old SimpleMDE.prototype.markdown method doesn't always work, for example when trying to use syntax highlighting (it doesn't do the highlighting). My guess is because that routine isn't bound to your own instance of simplemde, so it doesn't see the option you set saying to highlight syntax. But we're able to just set the previewRender option after initial construction, and use the object's own bound markdown method just fine.

Let me know if anything can be improved. This could also be done async (see the simplemde docs) but DOMPurify seems to be fast enough for the scale of my app. Also note that even the marked package itself says the its output should be sanitized before display, so using DOMPurify here should be a given.

gseastream commented 4 years ago

I've learned that EasyMDE enables this much more easily by default. For anyone finding this, EasyMDE is a fork of this project that is still maintained as of 2020.