-
-
Notifications
You must be signed in to change notification settings - Fork 334
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix two persistent XSS flaws #105
Conversation
Oh, nice finds. The first one I think you should report it to mistune project. The second one, It seems I misplace the escaping and didn't test it properly. |
And I will send a smiliar patch to the mistune project, too. Thanks for the suggestion. |
Why not to check the url starts with |
That's actually a good idea. What's left are relative/url/paths. I think I have a solid idea for that, too. It's better to wait for the mistune pull request then. |
They could be checked with something like I'd usually not care about relative urls, it may be even safer not to allow them, but I'm using them for image uploads (I could create a data migration to add the full url though). |
...or just prepend |
I figured that such limitations are too much of a burden when considering such a general markdown parser as mistune is. Here is my pull request lepture/mistune#88. Let's see if that gets accepted. I guess the blacklist approach proposed in that pull request would actually be sufficient for the forum, too. People are going to use the forum in unexpected areas and will maybe want to link to unexpected things (bitcoin:// or mailto:// or whatever). Anyway, thank you for being so patient and figuring out a solution with me. My initial pull request here seems a bit rushed. |
I'll probably go with the whitelist approach, I'll add a
I'll likely merge it later thought, at least to fix the escaping and so you appear as a colaborator (for the lack of a colaborators file). Thank you! |
I guess I owe you a bit of explanation for this pull request out of the blue: There are two distinct XSS vulnerabilities in the forum's markdown parser. Both affect the
[text](url)
link syntax.[text](javascript:alert
1)
(the payload uses the backtick to avoid parantheses). This exploit is however not the only one concerning the URL parsing. In Firefox, the following payload suffices to create a link which will run on the same origin as the page:[text](data:text/html,<script>alert
1</script>)
. Additionally, there is vbscript: and a range of extremely evil protocol handlers. Thus, the patch uses a whitelist to prevent all of this in one swoop. One drawback is that relative and kinda-relative URLs do not work in the link tag anymore (/from/root/path and path/to/something). Its up to you to decide if this is acceptable.[text]("><script>alert
1</script>)
. Simple, but works. The solution is to simply escape the link, too. This is the more dangerous attack of the two as it does not require user interaction. It was found by @thejh.