即使配置了 "protect_from_xss":true 也能够 XSS 注入

[zzndb]

Describe the bug 基于当前实现使用 markdown-it-xss（好像源仓库已不存在）依然存在被注入的情况

To Reproduce Steps to reproduce the behavior: 参见 https://github.com/victorootnice/victorootnice.github.io/blob/main/2023/bbp-01.md 自行从当前 release 下载亦可复现

Additional context 感觉可以直接参考原 markdown-it-xss 实现，使用 https://github.com/leizongmin/js-xss 来做

References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-5701

[taivlam]

I also noticed this publicly disclosed CVE regarding Markdown file XSS. This is being tracked as CVE-2023-5701 or VDB-243139 by VulDB.

I noticed this when I looked at VNote's listing on Repology and saw Repology's list of vulnerabilities on April 3, 2024. I was investigating whether I wanted to package VNote for the MPR, but I decided then to pause this plan until this CVE is fixed. I don't feel comfortable in packaging an application that has a publicly known CVE onto a new repo.

(I was about to make a new GH issue, but luckily I found this issue first.)

[tamlok]

Hi,

@zzndb I am wondering if you modified the config file correctly.

I use the "Edit User Configuration File" to change the protect_from_xss to true.

And the test XSS script is rendered like this:

@taivlam for the Repology's report, I am afraid they are testing VNote using the default config (or do not change the option correctly). I will make the XSS protection ON by default in next version.

https://github.com/vnotex/vnote/commit/74e20dcb3e41d8c51c0a79f99e4ede4d8f6b0bde