Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Another safe mode XSS #583

Closed
Arc-blroth opened this issue Jun 16, 2024 · 0 comments · Fixed by #586
Closed

Another safe mode XSS #583

Arc-blroth opened this issue Jun 16, 2024 · 0 comments · Fixed by #586
Labels
Bug

Comments

@Arc-blroth
Copy link

Arc-blroth commented Jun 16, 2024
edited
Loading

Running

<img onerror=alert("hi")<a> src=a

through markdown2 with --safe replace results in an XSS:

<p><img onerror=alert("hi")[HTML_REMOVED] src=a</p>

From what I could tell, this is because:

  • _hash_html_spans assumes the first token is never html (is_html_markup = False) and that succeeding tokens alternate between normal text and html markup (is_html_markup = not is_html_markup)
  • thus, the entire first token <img onerror=alert("hi") does not get run through sanitize_html
  • instead, that token gets run through _encode_incomplete_tags
  • but since that token fails the regex _incomplete_tags_re it also doesn't get < escaped with &lt;

markdown2.__version__ == '2.4.13'
@Crozzers Crozzers mentioned this issue Jun 19, 2024
Merged
nicholasserra added a commit that referenced this issue Jul 5, 2024
@nicholasserra
Merge pull request #586 from Crozzers/xss-fix
768c820 
Fix #583 by tweaking incomplete tag regex
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix #583 by tweaking incomplete tag regex Crozzers/python-markdown2
2 participants
@nicholasserra @Arc-blroth