Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
CVE-2018-20583 - XSS Vulnerability #337
An XSS vulnerability (CVE-2018-20583) has been identified in the following versions of this library:
It allows unsafe URLs to be added to links.
The issue has been fixed in version 0.18.1. All users should upgrade to version 0.18.1 immediately. Additionally, if your application caches the resulting HTML, please purge and/or regenerate those caches.
Malicious users can bypass the "unsafe links" restrictions by inserting an encoded newline character (
Certain versions of this library would decode, then fail to re-encode, that newline, resulting in the following HTML:
<p><a href="javascri pt:alert('XSS')">Click me</a></p>
Browsers ignore the newline and see
The URL normalization process basically runs
A huge thank you to Austin H. for finding the issue and working with @GrahamCampbell to responsibly disclose it!