cse-fire / fire / issues / #155 - Markdown unicode bug - XSS (2) — Bitbucket

Issue #155 resolved

aalfred created an issue 2017-05-04

Posting the following Markdown executes arbitrary JS on page load:

[]("><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mNkYAAAAAYAAjCB0C8AAAAASUVORK5CYII=" onload="alert('hello')"><a href=")

Similar to ~~#154~~, but even worse, as it doesn't require the user to click anything.

Comments (5)

Evgeny Kotelnikov
Wow, thanks for the report!

Do you mind also reporting this to the mistune project?
- 2017-05-04T15:29:11+00:00
Evgeny Kotelnikov
- changed status to open
- 2017-05-04T15:29:17+00:00
aalfred reporter
It's fixed in Mistune 0.7.2, released Feb 2016.

But ~~#154~~ isn't, I'll report that one.
- 2017-05-04T17:25:19+00:00
aalfred reporter
So apparently ~~#154~~ got a quick-and-dirty fix.

The equivalent fix here is banning links containing ", or replacing them with ".
- 2017-05-27T14:27:23+00:00
Víctor López Juan
- changed status to resolved
[ fix ] Bump mistune to fix ~~#154~~, ~~#155~~

→ <<cset c0ef84f013dc>>
- 2017-06-16T10:00:46+00:00
Log in to comment

Assignee: –

Type: bug

Priority: major

Status: resolved

Component: –

Milestone: –

Votes: 0

Watchers: 1

Jira: the preferred issue tracker for Bitbucket. Join the team!