Skip to content
This repository was archived by the owner on Jul 19, 2019. It is now read-only.

Stored XSS in Mark Down #139

Closed
matt- opened this issue Jun 3, 2016 · 5 comments
Closed

Stored XSS in Mark Down #139

matt- opened this issue Jun 3, 2016 · 5 comments

Comments

@matt-
Copy link

matt- commented Jun 3, 2016
edited
Loading

The markdown library (marked) used in this demo does not properly handle HTML entities (even with the sanitize option set to true). This leads to a stored XSS in this demo.

The marked project also appears to be abandoned. I suggest using something else in the demo. I know this is not intended to be production code, but people will follow this as an example. You can also see this in action on the main https://facebook.github.io/react/ page under "A Component Using External Plugins" as a "self xss"

POC:

Run the project and submit a comment with the following markdown:

[XSS](javascript&#58document;alert(1))

References:

The pull request I opened to them (a long time ago):
markedjs/marked#592

A full writeup on the actual issue:
https://snyk.io/blog/marked-xss-vulnerability/

The Node Security Advisory:
https://nodesecurity.io/advisories/101

As well as RetireJS:
http://retirejs.github.io/retire.js/
@sophiebits
Copy link
Member

:( thanks. ugh. are there any popular libraries that don't have this problem? looks like showdown doesn't try to defend against XSS.

@matt-
Copy link
Author

matt- commented Jun 3, 2016

https://github.com/jonschlinkert/remarkable looked good to me, but I can look over a few alts.

@matt-
Copy link
Author

matt- commented Jun 3, 2016

Do you think I should also add a ticket for the https://github.com/facebook/react gh-page branch?

@sophiebits
Copy link
Member

No thanks, I'll get both.

@sophiebits sophiebits mentioned this issue Jun 3, 2016
Merged
sophiebits added a commit to sophiebits/react-tutorial that referenced this issue Jun 3, 2016
@sophiebits
Use remarkable instead of marked
5c22766 
Closes reactjs#139.
sophiebits added a commit to sophiebits/react that referenced this issue Jun 3, 2016
@sophiebits
Use remarkable instead of marked
24b7da6 
reactjs/react-tutorial#139
@sophiebits sophiebits mentioned this issue Jun 3, 2016
Merged
sophiebits added a commit that referenced this issue Jun 3, 2016
@sophiebits
Use remarkable instead of marked (#140)
06b89a1 
Closes #139.
@sophiebits
Copy link
Member

sophiebits commented Jun 3, 2016
edited
Loading

(React change in facebook/react#6961.)

sophiebits added a commit to facebook/react that referenced this issue Jun 3, 2016
@sophiebits
Use remarkable instead of marked (#6961)
1801d56 
reactjs/react-tutorial#139
sophiebits added a commit to facebook/react that referenced this issue Jun 3, 2016
@sophiebits
Use remarkable instead of marked (#6961)
79707ca 
reactjs/react-tutorial#139
(cherry picked from commit 1801d56)
@jmarca jmarca mentioned this issue Aug 3, 2016
Open
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sophiebits @matt-