XSS via image

[wfinn]

Hi, I found another XSS which is different from the javascript: one.

![\" onerror=alert(1) ](x) and it results in this html: <p><img alt="" onerror=alert(1) " src="x" /></p>

I think you should use a well known HTML sanitizer after generating the HTML from markdown to fix this. That would also fix #167

But preventing breaking out of the html with \" should be done aswell.

[agusmakmun]

very good @wfinn, I guess you are pentester... lol

[eelkevdbos]

I think these can all be tackled by a strict enough content security policy, not allowing inline scripts. A package I use to configure this in my apps is django-csp.

However, I do agree a sanitizer would be kind of nice. We could for example add bleach to the mix.

[agusmakmun]

Now finally we solve this issue by using bleach, thank you @eelkevdbos for your recommendation. Please upgrade your package by using this command:

pip install martor --upgrade

meanwhile, I already provide the unitest as well which related with xss issues:

https://github.com/agusmakmun/django-markdown-editor/blob/master/martor/tests/tests.py#L80

def test_markdownify_xss_handled(self):
    xss_payload_1 = "[aaaa](javascript:alert(1))"
    response_1 = markdownify(xss_payload_1)
    self.assertEqual(response_1, '<p><a href=":">aaaa</a></p>')

    xss_payload_2 = '![" onerror=alert(1) ](x)'
    response_2 = markdownify(xss_payload_2)
    self.assertEqual(
        response_2, '<p><img alt="&quot; onerror=alert(1) " src="x"></p>'
    )

    xss_payload_3 = '[xss](" onmouseover=alert(document.domain) l)'
    response_3 = markdownify(xss_payload_3)
    self.assertEqual(
        response_3,
        '<p><a href="&quot; onmouseover=alert(document.domain)">xss</a>)</p>',  # noqa: E501
    )