Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Script injection vulnerability in search component #906
If any of your markdown documents contain script injection examples such as the following:
<style onload='alert("You executed this bit of JS");'></style>
You'll trigger a script injection attack on yourself when the document shows up in the search result.
I would expect mkdocs-material to not inject user-generated input straight into the DOM. This is happening due to the use of
It triggers an injection attack.
Steps to reproduce the bug
You can download a minimal working example here or follow the guide below
Put the following anywhere in a document and write a search query that finds the document
I'm using verison
site_name: 'Example of injection' theme: name: 'material' nav: - Home: index.md
Yes, changes to documentation should always be reviewed. As MkDocs provides static documentation, there is no risk of MkDocs being exploited dynmically to inject scripts (unless you are using MkDocs "serve" as your server -- don't do that). But assuming you had a third party Markdown extension that slipped in injecting of malicious scripts into your documents via an update, MkDocs provides a plugin API that could allow you to run post processing on your HTML and sanitize it.
I personally do not feel it is MkDocs job to keep us safe, but simply to provide automated document building and deployment. I feel it is reasonable to expect the user to write, or use a 3rd party Mkdocs sanitizer extension.
@facelessuser In this case it's an internal document that describes how to avoid script injection, and as such has examples of script injection in the text.
Here's another example. Say you're documenting some HTML
This will be rendered in the search results like so:
I don't think mkdocs should sanitise all the user input but it would be nice if it didn't inject the contents of code blocks into the DOM. I'd be happy if search completely ignored anything inside of
I'm not entirely sure it's related, but it looks like it could be, so I'd like to re-open this issue.
Now, when an indented code block contains escapable characters such as
For instance, the following code block: