cse-fire / fire / issues / #154 - Markdown unicode bug - XSS — Bitbucket

Issue #154 resolved

Hossein Hussain created an issue 2017-04-26

When submitting a lab we can add comments which uses markdown syntax. There is an XSS vulnerability there when using unicode to bypass the filter. This is an example: text;">text</a>

Comments (6)

Hossein Hussain reporter
- changed title to Markdown unicode bug - XSS
- 2017-04-26T15:22:54+00:00
aalfred
that's just HTML entities, not Unicode. Either way, the easiest solution is a whitelist for "http://" and "https://", rather than trying to blacklist "javascript:".
- 2017-05-04T15:23:49+00:00
Evgeny Kotelnikov
- changed status to open
- 2017-05-04T15:29:01+00:00
aalfred
Fixed in mistune v0.7.2, released Feb 2016. Ignore my comment in ~~#155~~ saying it's still vulnerable, I misread the output (expected "", got "javascript:alert('hello')").

Just bump the dependency and you can close both issues.
- 2017-05-04T17:37:32+00:00
Víctor López Juan
Thanks for reporting this! I've patched it up in production in a quick-and-dirty way (just whitelisting links that start with 'h'). We should have a proper fix for the next release.
- 2017-05-26T08:48:43+00:00
Víctor López Juan
- changed status to resolved
[ fix ] Bump mistune to fix ~~#154~~, ~~#155~~

→ <<cset c0ef84f013dc>>
- 2017-06-16T10:00:46+00:00
Log in to comment

Assignee: –

Type: bug

Priority: major

Status: resolved

Component: –

Milestone: –

Votes: 0

Watchers: 1

Jira Software: the preferred issue tracker for Bitbucket. Join the team!