XSS when parsing math expression

waylonflinn / markdown-it-katex

Add Math to your Markdown with a KaTeX plugin for Markdown-it

MIT License

252 stars 155 forks source link

XSS when parsing math expression #26

Open l4wio opened 5 years ago

l4wio commented 5 years ago

Look at: https://github.com/waylonflinn/markdown-it-katex/blob/master/index.js#L168

Once the parser returns error, it would return katex without sanitizing as HTML tags.

To trigger this catch block, you can easily put one more "%" character.

Try it on live demo http://waylonflinn.github.io/markdown-it-katex/

Input the data as $<img src=a onerror=alert(1)>$ , nothing happens
Try $<img src=a onerror=alert(1)>%$ you can see the alert dialog.

Consider this affects many real-world products.

huntr-helper commented 4 years ago

Bug Bounty

We have opened up a bounty for this issue on our bug bounty platform. Want to solve this vulnerability and get rewarded 💰? Go to https://huntr.dev/

We will submit a pull request directly to your repository with the fix as soon as possible. Want to learn more? Go to https://github.com/418sec/huntr 📚

Automatically generated by @huntr-helper...

huntr-helper commented 4 years ago

‎‍🛠️ A fix has been provided for this issue. Please reference: https://github.com/418sec/markdown-it-katex/pull/1

🔥 This fix has been provided through the https://huntr.dev/ bug bounty platform.