[Security] XSS issue when rendering article content and comments using markdown library

[ashleybroughton]

This could lead to some nefarious edits.

[ashleybroughton]

This should be fixed in most browsers by CSP when this is fully implemented. As for older browsers, we should be encoding the user input when saving it to the database and / or displaying the content.

[ashleybroughton]

In addition to the above example, tags appear to be allowed which could allow someone to embed a remote image and track the users of the site.

Again, this will likely be fixed when we implement CSP fully, but ideally we should be encoding HTML, or implementing a markdown style syntax.

[ashleybroughton]

Another example that could be abused for persistent xss

[ashleybroughton]

I just noticed that we appear to be using the Westwind.AspNetCore.Markdown package and the <markdown .. /> tag for rendering the comments and article content.

Is this perhaps a bug in that framework?

[ashleybroughton]

https://github.com/showdownjs/showdown/wiki/Markdown's-XSS-Vulnerability-(and-how-to-mitigate-it)

[essenbee]

Our team has used HtmlSanitizer in the past. I will did out the code from another project, because you do have to be aware of nefarious people "encoding/ escaping" script tags and suchlike, which means you may have to run the sanitizer several times against the content. not sure.

[essenbee]

Hi @ashleybroughton , I think Mr Strahl’s response to the issue you raised is rather naive. We need a better solution.

[ashleybroughton]

Hi @essenbee . I did try HtmlSanitizer quickly, but I don't have much experience with it. It just seemed to turn the resulting markdown HTML into encoded tags, which means we don't get any of the markdown benefits.

This is definitely something we need to find a good solution for.

Edit:

This is how I was using it

It turns this

into this