XSS vulnerability #120

Closed
haampie opened this Issue Apr 28, 2014 · 3 comments

Projects

None yet

4 participants

@haampie
haampie commented Apr 28, 2014

See for instance

http://laravel.io/forum/01-31-2014-how-to-mark-up-forum-posts?page=2#reply-5891

It is possible to create javascript links with [some text](javascript:alert('xss'))

@driesvints driesvints added this to the 2.0 milestone May 18, 2014
@driesvints driesvints self-assigned this May 21, 2014
@barryvdh
Contributor
barryvdh commented Jul 2, 2014

So is that in this forum, or is that a bug in the markdown parser (michelf/php-markdown)?
See also: michelf/php-markdown#160, michelf/php-markdown#156, michelf/php-markdown#106 etc

@GrahamCampbell
Contributor

You could always shove the output from php-markdown through my robust xss protector https://github.com/GrahamCampbell/Laravel-Security.

@driesvints driesvints modified the milestone: 2.0, 2.1 Aug 17, 2014
@driesvints driesvints removed the blocker label Aug 17, 2014
@driesvints driesvints removed their assignment Aug 17, 2014
This was referenced Aug 25, 2014
@driesvints
Member

Fixed in #163

@driesvints driesvints closed this Sep 4, 2014
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment