search

valeriangalliat / markdown-it-highlightjs

Preset to use highlight.js with markdown-it.
The Unlicense
58 stars 31 forks source link

fix: escape invalid lang characters (XSS) #14

Closed ooooooo-q closed 3 years ago

ooooooo-q commented 3 years ago

I found XSS in inline code highlighting.

Example

`console.log(42)`{."><img onerror=alert(1) src=.>js}

Results

<p><code class="language-"><img onerror=alert(1) src=.>js"></code></p>

Similar problem: https://github.com/jGleitz/markdown-it-prism/pull/137

valeriangalliat commented 3 years ago

Good find, thank you!

I'm thinking of tweaking it to escape everything inbetween the {} instead, like it was done for the markdown-it-prism issue you linked, something like this (on line 52):

const cls = lang ? ` class="${options.langPrefix}${md.utils.escapeHtml(lang)}"` : ''

Do you think that would make sense as well?

ooooooo-q commented 3 years ago

Certainly. If can use escapeHtml, it seems better.

valeriangalliat commented 3 years ago

:+1: the patch is live on 3.3.1, thanks again!