-
-
Notifications
You must be signed in to change notification settings - Fork 3.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Possible XSS Vulnerability in Image and Hyperlinks (Markdown -> HTML) #1037
Comments
I believe pandoc creates self-contained HTML documents using this technique. So, rather than disallowing the URI schemes altogether, it'll be better to convert all characters which have HTML character entity into those respective entities. From babelmark2, it seems some markdown flavours do this by default. So, The type of escaping I recommend is something like I think |
Yes, I'm aware of this. At one point I had a Bottom line: You should always sanitize the output of markdown But this isn't a bug in pandoc. +++ Preole [Oct 26 13 19:01 ]:
|
I understand then. The verdict is to simply use an external library against the HTML output, rather than having the parser itself trying to produce safe HTML. I suppose it's safe to close this since it's not a big deal. |
I have noticed that Pandoc allows the
javascript:
anddata:
URI schemes in the Markdown dialect. Namely, I can use the Javascript and Data:URI schemes in place of a valid URL for the hyperlink and image elements. As a consequence, the HTML back-end (Both strict mode and non-strict mode) can produce output capable of XSS attacks.Below is my input fed through Babelmark 2 @ http://johnmacfarlane.net/babelmark2/
Output:
When I clicked on the hyperlink with the Javascript payload, both in
data:uri
form andjavascript:
, an alert box pops up immediately, which means the embedded payload has been executed. (On Firefox 24)The image element appears to be safe from this kind of XSS attack, at least on modern web browsers that disallow
javascript:
directives.If a malicious writer distributes an HTML file with payload encoded using the above technique, the HTML file may be used for a phishing attack against the recipient.
I personally recommend disabling these two URI schemes altogether, but at the same time, some authors would like to embed images in Markdown using Data URI, which is a perfectly legitimate use for these schemes.
The text was updated successfully, but these errors were encountered: