Injecting classnames into code blocks #699
Comments
|
Taking a look at the CommonMark spec, it looks like it is recommended that this should render as
Do you have a particular attack in mind here, other than minor defacement? Best (non-contrived) thing I can come up with is making styling look a little funny (by attaching specific defined classes) to a code block. If we're going contrived, then perhaps if a script already on the page would execute the contents of any element with an |
|
There's certainly things that could cause some breakage on the page, for example styles that make elements fixed or sticky. Scripts looking for particular classes, as you mentioned, could cause unknown problem as well. The fix here could be simply putting the word before first space into the class and dropping the rest? |
|
1.7.2 and 1.8.0-beta-6 now released. |
ghost
mentioned this issue
|
@aidantwoods wouldn't this require a CVE ? |
|
Looks like the DWF, who I requested a CVE via in #590, has shutdown, which is a shame 😞. I think I'd now have to go to MITRE directly to request a CVE. There's somewhat unclear impact with this one, since it'll require abusing existing functionality on the page but I'll do my best to describe potential impact and request one anyway—we'll see what they say :) |
|
By the way—and sorry I didn't say this sooner—thank you @xPaw for taking the time to report this and review the fix, it's very much appreciated 😄 |
Tested on 1.8.0-beta-5
In safe mode with html markup disabled, it is possible to insert any classname into a code block like this:
renders as:
<code class="language-js any-class-name with spaces">code</code>infostringneeds some cleanup here:parsedown/Parsedown.php
Line 473 in 21c8c79
The text was updated successfully, but these errors were encountered: