Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix made in November now absent from code #18

Closed
minusworld opened this issue Jan 6, 2021 · 1 comment
Closed

Fix made in November now absent from code #18

minusworld opened this issue Jan 6, 2021 · 1 comment

Comments

@minusworld
Copy link

Hello,

I'm a security researcher at r2c. 馃憢 I am studying XSS vulnerabilities and happened across this PR addressing an XSS in your repo.

By pure luck, I noticed that the recent refactoring seems to have removed this patch. I'm not certain if this was intentional for some unknown reason; however, I wanted to bring it to your attention.

Hope this helps! Cheers.
@minusworld minusworld changed the title Fix missing Fix made in November now absent from code Jan 6, 2021
@valeriangalliat
Copy link
Owner

Hey!

We decided that escaping the special characters at the output level with md.utils.escapeHtml(lang) (

markdown-it-highlightjs/core.js

Line 50 in 2c93df7

const cls = lang ? ` class="${options.langPrefix}${md.utils.escapeHtml(lang)}"` : ''
) was a cleaner way to prevent the XSS vulnerability, so the original patch in the regex wasn't necessary anymore :)

If you agree that this is a solid mitigation, I'll let you close this issue, otherwise I would love to hear your thoughts on a better solution.

Cheers!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@minusworld @valeriangalliat