New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

XSS: Bypass of the Renderer's link security check #87

Closed
qll opened this Issue Feb 23, 2016 · 2 comments

Comments

Projects
None yet
2 participants
@qll
Contributor

qll commented Feb 23, 2016

>>> mistune.markdown('[text](javascript:alert`1`)')
'<p><a href="javascript&colon;alert`1`">text</a></p>\n'

The code actually checks for javascript:, wheras the browser happily first decodes entities and then executes the payload. Furthermore, there are lots of other ways to bypass this.

  • In Firefox, you could use data:text/html,<script>alert1</script> as data-URIs inherit the document's context (and, thus, cookies etc).
  • In old Internet Explorer versions, you could use vbscript-URIs
  • There are some characters which can be put in front of javascript-URIs (but are very browser-dependant), so that the startswith check fails.
  • I'm sure there are other protocol handlers which can do harm to unsuspecting users.

In general, I would advise against such a blacklist approach. I will attempt to create a good pull request for this soon.

@qll qll changed the title from XSS: Bypass of the Renderer' link security check to XSS: Bypass of the Renderer's link security check Feb 23, 2016

@lepture

This comment has been minimized.

Show comment
Hide comment
@lepture

lepture Feb 24, 2016

Owner

Great

Owner

lepture commented Feb 24, 2016

Great

@qll qll referenced this issue Feb 25, 2016

Closed

Fix #80 and #87 #88

lepture added a commit that referenced this issue Feb 26, 2016

@lepture

This comment has been minimized.

Show comment
Hide comment
@lepture

lepture Feb 26, 2016

Owner

You fixed it.

Owner

lepture commented Feb 26, 2016

You fixed it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment