Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cross site scripting [self xss] on simplemde-markdown-editor #435

Closed
raminfp opened this issue Sep 18, 2016 · 3 comments
Closed

Cross site scripting [self xss] on simplemde-markdown-editor #435

raminfp opened this issue Sep 18, 2016 · 3 comments

Comments

@raminfp
Copy link

raminfp commented Sep 18, 2016
edited
Loading

Hi,

there is vulnerability XSS on simplemde editor ,

steps :

1 - Go to https://simplemde.com/
2 - copy this '><img src=x onerror=alert(1);> or <img src=x onerror=alertHello!> or <b onclick=alert(1)>click me! and etc
3 - paste on simplemde-markdown-editor
4 - click to preview
5 - you see execute javascript code,

Thanks,
Ramin
@TangentFoxy
Copy link

Correct me if I'm wrong, but this is due to Markdown allowing HTML to be used within it, and the problem is just that their demo doesn't disable that. It's not an inherent error/danger in SimpleMDE itself?

@WesCossick
Copy link
Member

This is due to Markdown allowing HTML to be used alongside the Markdown syntax. SimpleMDE makes no effort to filter this client side. Your own application code should worry about handling these types of attacks.

@TangentFoxy TangentFoxy mentioned this issue Sep 22, 2016
Closed
@davidcalhoun
Copy link

I would be super nice to add this as a recommendation in the docs for previewRender.

@hhaidar hhaidar mentioned this issue Nov 16, 2018
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@davidcalhoun @WesCossick @raminfp @TangentFoxy