bootstrap-markdown icon indicating copy to clipboard operation
bootstrap-markdown copied to clipboard

Published 20 hours ago verified publisher icon refactory-id

vulnerable to xss attacks

Open ghost opened this issue 10 years ago • 11 comments

This markdown editor is vulnerable to xss attacks especially the preview feature.

ghost avatar Aug 26 '14 10:08 ghost

Do you have an example case?

acrobat avatar Aug 26 '14 10:08 acrobat

@acrobat, add javascript:alert('xss') as markdown link then click preview button. click the link in the preview, its a vulnerability!! its not safe to use especially its open to hackers!!

ghost avatar Aug 26 '14 10:08 ghost

Looks like the above 2 commits prohibit the xss if javascript:alert('xss') is entered in the popup box, however when entering it directly in the editor it still vulnerable when hitting preview.

groothuyse avatar Feb 04 '15 12:02 groothuyse

ikr

ghost avatar Mar 17 '15 14:03 ghost

@iJoshuaHD @groothuyse My bad. Will re-check this soon.

toopay avatar Sep 02 '16 11:09 toopay

Any updates in this?

arall avatar Mar 24 '17 10:03 arall

@toopay any updates?

arall avatar May 26 '17 10:05 arall

@arall I havent found a bulletproof solution for this yet.

toopay avatar May 29 '17 10:05 toopay

+1 for this. Is a critical issue.

ar-anvd avatar Jul 27 '17 13:07 ar-anvd

Any news ?

nnachit avatar Aug 31 '18 09:08 nnachit