New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
XSS using javascript: URLs #167
Comments
Thank you @wfinn for reporting this issue. Probably we should implement a |
@wfinn seems we have a solution for you netbox-community/netbox#4717 (comment) import markdown
from html.parser import HTMLParser
from django.conf import settings
from django.utils.safestring import mark_safe
# https://en.wikipedia.org/wiki/List_of_URI_schemes
ALLOWED_URL_SCHEMES = getattr(
settings, "ALLOWED_URL_SCHEMES",
['file', 'ftp', 'ftps', 'http', 'https', 'irc', 'mailto', 'sftp', 'ssh', 'tel', 'telnet', 'tftp', 'vnc', 'xmpp']
)
def render_markdown(value):
# Render Markdown
html = markdown.markdown(value, extensions=['fenced_code', 'tables'])
class MyHTMLParser(HTMLParser):
error = False
def handle_starttag(self, tag, attrs):
for key, val in attrs:
if tag == 'a' and key == 'href':
for scheme in ALLOWED_URL_SCHEMES:
if val.startswith(scheme):
return
self.error = True
parser = MyHTMLParser()
parser.feed(html)
if (parser.error):
html = "A link with an invalid scheme was detected - see settings.ALLOWED_URL_SCHEMES"
return mark_safe(html)
value = "[aaaa](javascript:alert(1))"
render_markdown(value) Or also using this nice idea: |
@wfinn fixed on this version: https://pypi.org/project/martor/1.6.8/
|
Hi, |
@wfinn hmm challanging, the patterns should be:
Here is the test:
output:
Any others? |
javascript: urls can cause cross site scripting
Steps to reproduce
[aaaa](javascript:alert(1))
The fix would be only allowing https?:// urls or maybe a small whitelist.
The text was updated successfully, but these errors were encountered: