search

sparksuite / simplemde-markdown-editor

A simple, beautiful, and embeddable JavaScript Markdown editor. Delightful editing for beginners and experts alike. Features built-in autosaving and spell checking.
https://simplemde.com
MIT License
9.89k stars 1.12k forks source link

XSS Vulnerability #730

Open pranavstark opened 5 years ago

pranavstark commented 5 years ago

XSS Vulerability detected: I tried using Inject an XSS query in simple MDE, By creating a link as following. [XSS](javascript:alert%28sessionStorage.clear%28%29%29) and it works as following: This converted into a link, that clears users sessionStorage in this example while clicking

dantrevino commented 5 years ago

you should be setting your marked parse options to sanitize

pranavstark commented 5 years ago

Hi @dantrevino I did not find any configuration to set it equal to sanitize. Please let me know how to mark parse options to sanitize ?. I am looking here for configuration https://github.com/sparksuite/simplemde-markdown-editor#configuration

roipoussiere commented 5 years ago

Until this is fixed, you can enable the sanitize marked option.

You can do this in the last version, which is not in Master branch, so you need to build simplemde files from sources:

git clone https://github.com/sparksuite/simplemde-markdown-editor.git
cd simplemde-markdown-editor
npm install --save-dev
gulp

Note that as I write this text, the current gulpfile doesn't support gulp4. If my pull request to fix this is not merged as the time you read this, you must edit the gulpfile too (just see the PR diff).

Then, copy simplemde-markdown-editor/dist/simplemde.min.css and simplemde-markdown-editor/dist/simplemde.min.js to your project.

Finally, set sanitize rule to true:

var simplemde = new SimpleMDE(
     {
        renderingConfig: {
            markedOptions: {
                sanitize: true
            }
        },
        element: $('#articleContent')[0]
    });