-
Notifications
You must be signed in to change notification settings - Fork 2.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
filterHTMLTags does not properly filter Html tags (XSS) #764
Comments
Any updates on this? |
Please try: Should be fixed with latest commit, let my know if its not |
alromh87
added a commit
to alromh87/editor.md
that referenced
this issue
Sep 10, 2020
fixes #pandao#612 fixes #pandao#662 fixes #pandao#697 fixes #pandao#700 fixes #pandao#701 fixes #pandao#709 fixes #pandao#715 fixes #pandao#764 fixes #pandao#816 ### Probably: fixes #pandao#307 fixes #pandao#560
alromh87
added a commit
to alromh87/editor.md
that referenced
this issue
Sep 10, 2020
fixes #pandao#612 fixes #pandao#662 fixes #pandao#697 fixes #pandao#700 fixes #pandao#701 fixes #pandao#709 fixes #pandao#715 fixes #pandao#764 fixes #pandao#816 fixes #pandao#307 fixes #pandao#560
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Dear Pandao team,
I would like to report a security vulnerability in Editor.md.
Summary:
The "filterHTMLTags" function does not properly filter Html tags, leading to XSS.
Description:
The sanitizer in "filterHTMLTags" function in editormd.js is broken:
editor.md/editormd.js
Line 3828 in 63786e6
As a result, an attacker could exploit this to inject client-side scripts into web pages that use Editor.md.
Steps to reproduce:
For example, in Firefox you can use:
<script >alert(31337)</script >
Supporting material:
POC1:
POC2:
The text was updated successfully, but these errors were encountered: