Skip to content

Safe Mode XSS (escape only) #703

Description

@JorianWoltjer

Describe the bug

It's possible to bypass the safe mode (escape only, not replace)

To Reproduce

Run markdown2 with safe_mode="escape" on the following markdown input:

![A](B "<C D="E" onerror=alert(origin) >")

The output HTML is:

<p><img src="B" alt="A" title="&lt;C D="E" onerror=alert(origin) &gt;" /></p>

The browser sees this as an image with src, alt, title and an onerror attribute. The onerror executes JavaScript, causing XSS.

This was found through fuzzing so I'm not sure exactly why it happens, but this was the minimal PoC.

Debug info
Version of library being used: c2d73a3

Any extras being used: no

Metadata

Metadata

Assignees

No one assigned

    Labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions