Markdown unicode bug - XSS (2)
Issue #155
resolved
Posting the following Markdown executes arbitrary JS on page load:
[]("><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mNkYAAAAAYAAjCB0C8AAAAASUVORK5CYII=" onload="alert('hello')"><a href=")
Similar to #154, but even worse, as it doesn't require the user to click anything.
Comments (5)
-
-
- changed status to open
-
reporter It's fixed in Mistune 0.7.2, released Feb 2016.
But
#154isn't, I'll report that one. -
reporter So apparently
#154got a quick-and-dirty fix.The equivalent fix here is banning links containing ", or replacing them with ".
-
- changed status to resolved
[ fix ] Bump mistune to fix
#154,#155→ <<cset c0ef84f013dc>>
- Log in to comment
Wow, thanks for the report!
Do you mind also reporting this to the mistune project?