Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

XSS #614

Closed
MR-H0200 opened this issue Nov 1, 2018 · 1 comment
Closed

XSS #614

MR-H0200 opened this issue Nov 1, 2018 · 1 comment
Assignees
@tivie
Labels
duplicate help wanted

Comments

@MR-H0200
Copy link

MR-H0200 commented Nov 1, 2018 

<img src="dummy.png" onerror="alert()"/>

image
@tivie tivie self-assigned this Nov 1, 2018
@tivie
Copy link
Member

tivie commented Nov 1, 2018

If you're refering to showdown being vulnerable to XSS attacks, please check the following link: https://github.com/showdownjs/showdown/wiki/Markdown's-XSS-Vulnerability-(and-how-to-mitigate-it)

Showdown tries to convert the input text as closely as possible, without any concerns for XSS attacks or malicious intent. So, the basic rules are:

  • removing HTML entities from markdown does not prevent XSS. Markdown syntax can generate XSS attacks.
  • XSS filtering should be done AFTER Showdown has processed any input, not before or during. If you filter before, it’ll break some of Markdown’s features and will leave security holes.
  • perform the necessary filtering server-side, not client side. XSS filtering libraries are useful but shouldn't be used blindly.

If you're referring to the Demo page, it's not possible (as far as I know) to use that page to target other people, only yourself. Even if you share a malicious composite link, the input gets sanitized.

example:

http://demo.showdownjs.com/#!/%3Cimg%20src%3D%22dummy.png%22%20onerror%3D%22alert()%22%2F%3E

Besides, the demo page doesn't store any relevant user information (just the last used options in the website), so an attack would be rather pointless.

Duplicate of: #555 #454 #446 #283 #282 #252 #216 #182 #71 #70 #57

@tivie tivie closed this as completed Nov 1, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tivie tivie

Labels
duplicate help wanted
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tivie @MR-H0200