XSS (<script>, <style>) #168

ghost · 2014-05-03T11:18:58Z

html tags are not striped (or better will be to htmlspecialchars() them)

Test string:

<script type="text/javascript">alert('XSS');</script>
<style type="text/css">body { background: red; }</style>

Result: http://sourcebox.io/27978c3083f1bf93be8f9325d3a2a36b/markdown

Is there any option to enable safe html output? Or am I doing something wrong?

Github generates this html:

<p>body { background: red; }</p>

You can test that by executing this script in your browser console:

jQuery.post('/preview?text='+ encodeURIComponent('<script type="text/javascript">alert("XSS");</script><style type="text/css">body { background: red; }</style>'), function(html){ alert(html); });

Bitbucket.org generates this html:

<p>&lt;script type="text/javascript"&gt;alert('XSS');&lt;/script&gt;
&lt;style type="text/css"&gt;body { background: red; }&lt;/style&gt;</p>

The text was updated successfully, but these errors were encountered:

hkdobrev · 2014-05-03T11:45:02Z

A Markdown parser should accept HTML including scripts.

It is your responsibility to decide whether and how you would sanitize your input.

ghost · 2014-05-03T12:03:32Z

@hkdobrev ok thanks

clphillips · 2014-05-05T15:58:16Z

@moldcraft see #161.

ghost closed this as completed May 3, 2014

This issue was closed.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

XSS (<script>, <style>) #168

XSS (<script>, <style>) #168

ghost commented May 3, 2014

hkdobrev commented May 3, 2014

ghost commented May 3, 2014

clphillips commented May 5, 2014

XSS (<script>, <style>) #168

XSS (<script>, <style>) #168

Comments

ghost commented May 3, 2014

hkdobrev commented May 3, 2014

ghost commented May 3, 2014

clphillips commented May 5, 2014