Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Test Environment: Firefox Quantum 67.0.3/Chrome 75.0.3770.100/Safari 12.1.1
Description: User can use <iframe> src attribute to insert malicious javascript codes, and then execute it.
Reproduce steps
1. go to https://pandao.github.io/editor.md/en.html or any open editor.md apps 2. in the edit mode, input the following malicious codes
<iframe src=javascript://%0aalert(document.cookie)>
Expected Results No malicious javascript codes should be executed
Actual Results The malicious codes are executed
The text was updated successfully, but these errors were encountered:
Can you try against this version please, also be sure the have the iframe filter enabled: https://github.com/418sec/editor.md
Sorry, something went wrong.
Improve RegExp filter
f5cb82c
fixes #pandao#612 fixes #pandao#662 fixes #pandao#697 fixes #pandao#700 fixes #pandao#701 fixes #pandao#709 fixes #pandao#715 fixes #pandao#764 fixes #pandao#816 ### Probably: fixes #pandao#307 fixes #pandao#560
067619e
fixes #pandao#612 fixes #pandao#662 fixes #pandao#697 fixes #pandao#700 fixes #pandao#701 fixes #pandao#709 fixes #pandao#715 fixes #pandao#764 fixes #pandao#816 fixes #pandao#307 fixes #pandao#560
No branches or pull requests
Test Environment:
Firefox Quantum 67.0.3/Chrome 75.0.3770.100/Safari 12.1.1
Description:
User can use <iframe> src attribute to insert malicious javascript codes, and then execute it.
Reproduce steps
Expected Results
No malicious javascript codes should be executed
Actual Results

The malicious codes are executed
The text was updated successfully, but these errors were encountered: