-
-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[CRITICAL BUG] Inject any html/css/js by using KaTeX #1160
Comments
@ArStah would you be willing to submit this using hackerone.com? |
@kevinbarabash i can't find your organization there |
@ArStah it should be listed as Khan Academy. |
Look here what happens. Maybe it's not KaTeX issue, but i think you must check it |
This is appears to be a gitter issue. It looks like they aren't properly sanitizing math input from users. |
Hard to tell without more information, but I imagine if there's any input to |
The KaTeX parser fails on the given input, e.g.
|
Yes I also believe it shouldn't be positioned in KaTeX although it could be "good" to help people who add this library to help themselves by sanitizing against any html inside of KaTeX. Or is there any use case where people have html>KaTeX>html? |
@pascalwhoop could you expand on what you mean by |
Ah sorry. Usually you nest KaTeX code inside of html right? So let's say we use
is there any reason why we should have it be something like
If not, then forbidding any html inside the string that is passed to |
We already "forbid" HTML inside the string we pass to |
Okay then how exactly does it occur, that the HTML breaks out? I guess you forbid it, throw an error and the string is output to the UI of the client, which then is in fact our HTML that got injected? |
KaTeX autorender extension only looks at the |
Yes and no. The error thrown by KaTeX parser then is also not sanitized. The error is thrown on the client side and there is no client side wrapping of the error, sanitizing it. But you could sanitize the Error you throw so users don't have to. |
I would hope/expect Gitter isn't using the autorender extension, but rather calling @pascalwhoop I don't see why the error needs to be sanitized by KaTeX. No KaTeX code will render the error to HTML. At worst, it is printed as a console message. I definitely don't understand how the leakage of HTML is happening. Feel free to email me details so I can investigate. |
@edemaine has been contacted by the Gitter team. Gitter renders the KaTeX error as unsanitized HTML, which causes the trouble. I guess to give the user some feedback of what's not working. |
Cool, glad we could help track it down. To help avoid this in the future, I've added a paragraph to the README talking about what's safe and what isn't in PR #1161. Reading it over and critiquing would be appreciated! |
@edemaine Thanks for the email response earlier ❤️ The situation has been remedied and there is a blog post here, http://blog.gitter.im/2018/02/16/gitter-xss-cryptocoin-mining-security-issue-notification/ |
@MadLittleMods great, thanks for quick reaction 👍 |
Please contact me to arsen.stahanov@gmail.com
The text was updated successfully, but these errors were encountered: