search

wooorm / markdown-rs

CommonMark compliant markdown parser in Rust with ASTs and extensions
https://docs.rs/markdown/1.0.0-alpha.18/markdown/
MIT License
836 stars 41 forks source link

Panic when testing XSS fussing #118

Closed kimtore closed 6 days ago

kimtore commented 6 days ago

markdown-it throws a panic when input is malformed:

thread 'tokio-runtime-worker' panicked at /home/kimt/.cargo/registry/src/index.crates.io-6f17d22bba15001f/markdown-it-0.6.0/src/generics/inline/code_pair.rs:87:46:
index out of bounds: the len is 0 but the index is 1

Rendering code:

let parser = &mut markdown_it::MarkdownIt::new();
markdown_it::plugins::cmark::add(parser);
markdown_it::plugins::extra::add(parser);
let ast = parser.parse(input_data);
ast.render().into()

This is my input data:

[XSS](javascript:prompt(document.cookie))
[XSS](j    a   v   a   s   c   r   i   p   t:prompt(document.cookie))
[XSS](data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K)
[XSS](&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29)
[XSS]: (javascript:prompt(document.cookie))
[XSS](javascript:window.onerror=alert;throw%20document.cookie)
[XSS](javascript://%0d%0aprompt(1))
[XSS](javascript://%0d%0aprompt(1);com)
[XSS](javascript:window.onerror=alert;throw%20document.cookie)
[XSS](javascript://%0d%0awindow.onerror=alert;throw%20document.cookie)
[XSS](data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K)
[XSS](vbscript:alert(document.domain))
[XSS](javascript:this;alert(1))
[XSS](javascript:this;alert(1))
[XSS](javascript&#58this;alert(1))
[XSS](Javascript:alert(1))
[XSS](Javas%26%2399;ript:alert(1))
[XSS](javascript:alert(1))
[XSS](javascript:confirm(1)
[XSS](javascript://www.google.com%0Aprompt(1))
[XSS](javascript://%0d%0aconfirm(1);com)
[XSS](javascript:window.onerror=confirm;throw%201)
[XSS](�javascript:alert(document.domain))
![XSS](javascript:prompt(document.cookie))\
![XSS](data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K)\
![XSS'"`onerror=prompt(document.cookie)](x)\
ChristianMurphy commented 6 days ago

Welcome @kimtore! 👋 This project isn't markdown it. If you want to file a markdown it rust bug, file it at their issue tracker.

https://github.com/markdown-it-rust/markdown-it

Or you could try this project! 🙂

kimtore commented 6 days ago

Heh, my bad, thanks. I tried this project but needed URL autolinking, so had to go with the other one.

wooorm commented 6 days ago

Not sure what you mean as URL autolinking. Perhaps you mean GFM autolinks. This project has GFM: https://github.com/wooorm/markdown-rs#extensions

kimtore commented 6 days ago

Sort of - similar to GFM autolinks.

I want https://... to be converted into links, and preferably removing the https:// part from the text.

Tried to do this with markdown-rs but it seems that it is required to wrap the link in <angle brackets>.

wooorm commented 6 days ago

I want https://... to be converted into links, and preferably removing the https:// part from the text.

That first part is what GFM does.

it seems that it is required to wrap the link in <angle brackets>.

That is what CommonMark does.

kimtore commented 5 days ago

Thanks a lot, I didn't realize that GFM did the trick. Now back to using your library :-)

kimtore commented 5 days ago

Is there a chance you'll implement protocol removal of link texts as an option?

wooorm commented 5 days ago

nope, this crate follow standards. if you want pretty urls, I’d recommend: [`example.com`](https://example.com). there are issues open about plugins — those, when implemented, could do that though.