Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Added data: and vbscript: link fix to prevent XSS vulnerability #63

Merged
merged 1 commit into from
Mar 14, 2019

Conversation

jedixak
Copy link
Contributor

@jedixak jedixak commented Mar 14, 2019

Cross-site Scripting (XSS) via Data or Vbscript URIs.
The following markup [link](data:text/html;base64,PHNjcmlwdD5hbGVydCgnaGknKTwvc2NyaXB0Pg==) produces <script>alert('hi')</script>.

@ariabuckles
Copy link
Owner

Thanks! This looks great. I’ll deploy a version with these changes later today

@ariabuckles ariabuckles merged commit 8ad751f into ariabuckles:master Mar 14, 2019
ariabuckles added a commit that referenced this pull request Mar 14, 2019
@ariabuckles
Copy link
Owner

Published [email protected] with these changes. Thanks again!

ariabuckles added a commit to ariabuckles/markdown-to-jsx that referenced this pull request May 21, 2020
I believe this fixes https://www.npmjs.com/advisories/1219 if
`options.disableParsingRawHTML` is set.

NOTE: This does not handle script elements, etc., that may be rendered
when `options.disableParsingRawHTML` is not enabled. We might be able to
use something like [`dompurify`](https://github.com/cure53/DOMPurify) to
solve that case?

According to https://owasp.org/www-community/xss-filter-evasion-cheatsheet ,
the dangerous `javascript:` protocol can contain some whitespace
characters and still be vulnerable, and sometimes when used in
conjunction with images, some other special characters like ` or <
before the javascript: protocol can also leave a url vulnerable.

This change re-adds the sanitiation logic removed in 9c6c782 , and also
adds the vbscript/data handling from github.com/ariabuckles/simple-markdown/pull/63

Test plan:

Add tests and run `npm test`
ariabuckles added a commit to quantizor/markdown-to-jsx that referenced this pull request May 22, 2020
I believe this fixes https://www.npmjs.com/advisories/1219 if
`options.disableParsingRawHTML` is set.

NOTE: This does not handle script elements, etc., that may be rendered
when `options.disableParsingRawHTML` is not enabled. We might be able to
use something like [`dompurify`](https://github.com/cure53/DOMPurify) to
solve that case?

According to https://owasp.org/www-community/xss-filter-evasion-cheatsheet ,
the dangerous `javascript:` protocol can contain some whitespace
characters and still be vulnerable, and sometimes when used in
conjunction with images, some other special characters like ` or <
before the javascript: protocol can also leave a url vulnerable.

This change re-adds the sanitiation logic removed in 9c6c782 , and also
adds the vbscript/data handling from github.com/ariabuckles/simple-markdown/pull/63

Test plan:

Add tests and run `npm test`
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants