XSS in IE #492

albertshaw · 2014-09-25T08:40:10Z

Though set sanitize option to true could filter some xss code, but it still miss a link case in IE.

use:

[xss link](vbscript:alert(1))

will get a link

<a href="vbscript:alert(1)">xss link</a>

this script does not work in IE 11 edge mode, but works in IE 10 compatibility view.

The text was updated successfully, but these errors were encountered:

blacklist vbscript: fixes #492

blacklist vbscript: fixes markedjs#492

katanacrimson mentioned this issue Oct 16, 2014

switch to alternate markdown library NodeBB/nodebb-plugin-markdown#20

Closed

albertshaw mentioned this issue Oct 28, 2014

要不要考虑换一个markdown解析库 cnodejs/nodeclub#440

Closed

chjj closed this as completed in 3c19114 Jan 25, 2015

chjj added a commit that referenced this issue Jan 25, 2015

Merge pull request #537 from evilpacket/no-vbscript

f49db7c

blacklist vbscript: fixes #492

This was referenced Mar 16, 2015

Bump Marked to v0.3.3 hakimel/reveal.js#1165

Closed

Bumped Marked to v0.3.3 hakimel/reveal.js#1166

Merged

rhiokim added a commit to rhiokim/marked that referenced this issue Mar 16, 2015

blacklist vbscript: fixes markedjs#492

f9fa1bf

gkoberger pushed a commit to readmeio/marked that referenced this issue Aug 24, 2015

blacklist vbscript: fixes markedjs#492

f478ae7

ghost pushed a commit to zergeborg/marked that referenced this issue May 13, 2016

blacklist vbscript: fixes markedjs#492

fc372d1

ghost pushed a commit to zergeborg/marked that referenced this issue May 13, 2016

Merge pull request markedjs#537 from evilpacket/no-vbscript

487c410

blacklist vbscript: fixes markedjs#492

machinshin mentioned this issue Sep 13, 2019

still active? dtao/autodoc#62

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

XSS in IE #492

XSS in IE #492

albertshaw commented Sep 25, 2014

XSS in IE #492

XSS in IE #492

Comments

albertshaw commented Sep 25, 2014