- changed title to Markdown unicode bug - XSS
Markdown unicode bug - XSS
When submitting a lab we can add comments which uses markdown syntax. There is an XSS vulnerability there when using unicode to bypass the filter. This is an example: text;">text</a>
Comments (6)
-
reporter -
that's just HTML entities, not Unicode. Either way, the easiest solution is a whitelist for "http://" and "https://", rather than trying to blacklist "javascript:".
-
- changed status to open
-
Fixed in mistune v0.7.2, released Feb 2016. Ignore my comment in
#155saying it's still vulnerable, I misread the output (expected "", got "javascript:alert('hello')").Just bump the dependency and you can close both issues.
-
Thanks for reporting this! I've patched it up in production in a quick-and-dirty way (just whitelisting links that start with 'h'). We should have a proper fix for the next release.
-
- changed status to resolved
[ fix ] Bump mistune to fix
#154,#155→ <<cset c0ef84f013dc>>
- Log in to comment