Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
file tree
. ├── README.md ├── _sidebar.md ├── index.html └── test └── xss.md
index.html
<!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <title>test</title> <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1" /> <meta name="description" content="Description"> <meta name="viewport" content="width=device-width, user-scalable=no, initial-scale=1.0, maximum-scale=1.0, minimum-scale=1.0"> <link rel="stylesheet" href="//cdn.jsdelivr.net/npm/docsify/lib/themes/vue.css"> <link rel="stylesheet" href="/css/sidebar.css"> </head> <body> <div id="app"></div> <script> window.$docsify = { loadSidebar: true, homepage: './README.md', alias:{ '/.*/_sidebar.md': '/_sidebar.md', }, autoHeader: true, auto2top: true, search: { noData: { '/': 'No results!' }, paths: 'auto', placeholder: { '/': 'Search' }, hideOtherSidebarContent: true, depth: 1 }, name: 'test', } </script> <script src="//cdn.jsdelivr.net/npm/docsify/lib/docsify.min.js"></script> <script src="//cdn.jsdelivr.net/npm/docsify/lib/plugins/search.js"></script> </body> </html>
xss.md
# xss test xss"><img src=1 onerror=alert(1)><"
_sidebar.md
- Test - [xss](./test/xss.md)
when user search something near XSS payload and the javascript which should rendering as markdown will be execute
x
Bug does still occur when all/other plugins are disabled?
Your OS: Mac OS
Node.js version: v12.19.0
npm/yarn version:
Browser version:
Docsify version: 4.12.1
Docsify plugins: search.js
https://xl9pw.csb.app/
The text was updated successfully, but these errors were encountered:
You should not write the wrong content...
docsify does not filter errors content in the body.
cc @docsifyjs/reviewers
Sorry, something went wrong.
4 space or one tab for Code Blocks is a standard markdown syntax
# title code
i don't think this is a wrong content
Okay, I tested it without spaces...
xss"><img src=1 onerror=alert(1)><"
with out Code Blocks syntax markdown will rendering code as html The problem comes from the search plug didn't appropriate encode Code Blocks and let " escaped
"
Yes, here's what I removed, I'm revisiting
Successfully merging a pull request may close this issue.
Bug Report
Steps to reproduce
1. create a simple docsify project
file tree
index.html
xss.md
_sidebar.md
2. start a http server
when user search something near XSS payload and the javascript which should rendering as markdown will be execute
3. input
xin search filedWhat is current behaviour
What is the expected behaviour
Other relevant information
Bug does still occur when all/other plugins are disabled?
Your OS: Mac OS
Node.js version: v12.19.0
npm/yarn version:
Browser version:
Docsify version: 4.12.1
Docsify plugins: search.js
Please create a reproducible sandbox
https://xl9pw.csb.app/
Mention the docsify version in which this bug was not present (if any)
The text was updated successfully, but these errors were encountered: