XSS vulnerability in some tags

[slav0nic]

[url]javascript:alert('XSS');[/url]
[url]123" onmouseover="alert('Hacked');[/url]

Solution: escaping more symbols like ", '. All returned html values between tags must be escaped.

check as this done in django for example https://github.com/django/django/blob/master/django/utils/html.py#L39

[dcwatson]

FYI, I just bumped the version to 1.0.9 and pushed it to PyPi. Thanks for the report.

[slav0nic]

np, but i find new bug 116cb20#commitcomment-2807750 :]

planed migrate dajngobb from postmarkup to u lib

[dcwatson]

That's not a bug, it's just how the parser works. See my followup comment. You can quote the URL if it has spaces, but I doubt this will be much of an issue in practice. Browsers escape spaces for you (if you copy them), URLs don't tend to have spaces in them, and who types out URLs? :)

Glad to hear you're using my code!

[slav0nic]

ok, tnx) postmarkup do this in other way but u right

[Pitmairen]

This is still an issue.

These still work:

[url]javascript:alert('XSS');[/url]

[url]http://google.com?[url] onmousemove=javascript:alert(String.fromCharCode(88,83,83));//[/url][/url]

http://www.google.com"onmousemove="alert('XSS');"com

[dcwatson]

FYI, I added a couple more XSS fixes to the url tag and default linker that should address those examples.

[slav0nic]

[URL=data:text/html;base64,PHNjcmlwdD5hbGVydCgiMSIpOzwvc2NyaXB0Pg==]sdfsdf[/URL]

another passive xss ;)

[dcwatson]

Fixed in e23f5ae