django-markdown-editor icon indicating copy to clipboard operation
django-markdown-editor copied to clipboard

Published 20 hours ago verified publisher icon agusmakmun

martor markdownify is vulnerable to stored XSS.

Open GiJ03 opened this issue 1 year ago • 4 comments

While testing an application, I observed that the application was using martor markdownify. On further investigation, I observed that martor markdownify is vulnerable to stored XSS vulnerability.

Will I be eligible for a CVE, if I report that?

GiJ03 avatar Apr 03 '23 17:04 GiJ03

Maybe something like this. I did not test this yet.

To fix the XSS vulnerability, you need to sanitize the user input before rendering it as HTML. One way to do this is by using a library like bleach to clean the input and remove any potentially harmful content.

https://github.com/agusmakmun/django-markdown-editor/blob/master/martor/utils.py

import bleach
from django.utils.safestring import mark_safe
from martor import settings
from markdown import markdown


ALLOWED_TAGS = bleach.sanitizer.ALLOWED_TAGS + ['img', 'p', 'pre', 's', 'u', 'code', 'kbd', 'br']
ALLOWED_ATTRIBUTES = bleach.sanitizer.ALLOWED_ATTRIBUTES
ALLOWED_ATTRIBUTES.update({
    '*': ['class', 'id'],
    'img': ['src', 'alt', 'title'],
    'a': ['href', 'rel', 'title'],
})

def markdownify(markdown_text):
    """
    Convert markdown to html.
    """
    html = markdown(text, extensions=settings.MARTOR_MARKDOWN_EXTENSIONS)
    sanitized_html = bleach.clean(html, tags=ALLOWED_TAGS, attributes=ALLOWED_ATTRIBUTES)
    return mark_safe(sanitized_html)

some1ataplace avatar Apr 04 '23 04:04 some1ataplace

For reporting a valid issue, will I be eligible for a CVE?

GiJ03 avatar Apr 04 '23 04:04 GiJ03

We have fixed some xss issues before, one of reason why we're using bleach is because of it. But I can say xss issue is quite complex, especially on it payloads. But so far we're using these configuration in martor:

  • Configuration: https://github.com/agusmakmun/django-markdown-editor#setting-configurations-settingspy
  • Implementation: https://github.com/agusmakmun/django-markdown-editor/blob/master/martor/utils.py#L22
# URL schemes that are allowed within links
ALLOWED_URL_SCHEMES = [
    "file", "ftp", "ftps", "http", "https", "irc", "mailto",
    "sftp", "ssh", "tel", "telnet", "tftp", "vnc", "xmpp",
]

# https://gist.github.com/mrmrs/7650266
ALLOWED_HTML_TAGS = [
    "a", "abbr", "b", "blockquote", "br", "cite", "code", "command",
    "dd", "del", "dl", "dt", "em", "fieldset", "h1", "h2", "h3", "h4", "h5", "h6",
    "hr", "i", "iframe", "img", "input", "ins", "kbd", "label", "legend",
    "li", "ol", "optgroup", "option", "p", "pre", "small", "span", "strong",
    "sub", "sup", "table", "tbody", "td", "tfoot", "th", "thead", "tr", "u", "ul"
]

# https://github.com/decal/werdlists/blob/master/html-words/html-attributes-list.txt
ALLOWED_HTML_ATTRIBUTES = [
    "alt", "class", "color", "colspan", "datetime",  # "data",
    "height", "href", "id", "name", "reversed", "rowspan",
    "scope", "src", "style", "title", "type", "width"
]

Feel free to modify those, depend on your application needs.

@GiJ03 Can you share us what is your xss payload that causing the xss issue appear? So we can easily help you to resolve your issue. More xss payloads will be awesome.

Here is some test example: https://github.com/agusmakmun/django-markdown-editor/blob/2c745fe16c84f26729fa886734c5f4f48768f646/martor/tests/tests.py#L94-L110

agusmakmun avatar Apr 04 '23 16:04 agusmakmun

You can find the commonly used XSS payloads below:

https://raw.githubusercontent.com/payloadbox/xss-payload-list/master/Intruder/xss-payload-list.txt

GiJ03 avatar May 07 '23 07:05 GiJ03

I have tested above payloads, and seems all of them are passed in newest version. So, I'll close this issue. Let me know if any payloads still facing this xss issue.

agusmakmun avatar Mar 29 '24 15:03 agusmakmun