Cross-site scripting vulnerability in ParseDown

[prodigysml]

<?php

include("parsedown/Parsedown.php");

echo Parsedown::instance()->text('Hello ![google" onerror="alert(1)](http://google.com)'); 

The code above simply creates an instance of your Parsedown parser and then creates an image in markdown. This creation of the image is vulnerable to XSS. I would advice something like HTML encoding some of the input in certain places (especially for things like quotes).

[cebe]

duplicate of #161

[aidantwoods]

Fixed in #495 if you’d like to test it.

[embluk]

@aidantwoods Can I ask why this has not been merged into master yet, as this XSS vulnerability is quite serious?

[aidantwoods]

Can I ask why this has not been merged into master yet, as this XSS vulnerability is quite serious?

@embluk I'd love to see it merged into master, but unfortunately I don't have write rights on this repo.

If you're a composer user you can take a look at https://packagist.org/packages/aidantwoods/secureparsedown, or https://github.com/aidantwoods/SecureParsedown otherwise to apply the patch via a class extension.

[embluk]

@aidantwoods Thanks for all your great work on this!

However, I cannot seem to get it working. I'm pretty sure its nothing on your side and something with the way I'm setting it up.

I have the following:

      require_once("scripts/php/Markdown/parsedown.php");
      require_once("scripts/php/Markdown/SecureParsedown.php");

      use Aidantwoods\SecureParsedown\SecureParsedown;

      $parsedown = new SecureParsedown;
      $parsedown->setSafeMode(true);

And I get this error: Parse error: syntax error, unexpected 'use' (T_USE)

[aidantwoods]

From the error it looks like you're perhaps declaring this within a function in the surrounding context?

PHP's use is a little weird, and it can have three (thus far) different meanings depending on where it is used.

In the desired case, it is for importing – so you'd need to place the use statement outside of any classes and methods (more info)

Alternatively if that's not practical, just instantiate the class by using its fully qualified name, i.e. change new SecureParsedown; to new Aidantwoods\SecureParsedown\SecureParsedown; and remove the use line.

[embluk]

Ohh yeah I had my previous code block within a wrapper class, inside a function.

It now works with using the fully qualified name.

Thanks for your rapid response and support! Keep up the good work!

[erusev]

It's been a busy couple of months for me, I'll merge it as soon as I have some time to get my head around the code.

[jamesgraham]

Anyone using the roave/security-advisories will be unable to use this package as it's now marked unsafe.