New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Possible XSS in safe_mode using incomplete tags #285
Comments
This is CVE-2018-5773, is there a fix? |
Not yet. PRs welcome! |
Any progress on this CVE, or is there an alternative that is safe(r) to use in the meantime? |
Add sanitization for incomplete HTML tags.
Add sanitization for incomplete HTML tags.
@nicholasserra @thombashi Thanks for making an attempt to fix it. Unfortunately, XSS is still possible. A modified payload:
From: https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
I was able to do something similar with python-markdown as well and it looks like the community agrees on deprecating safe_mode and using tools like Bleach (https://bleach.readthedocs.io/en/latest/). https://python-markdown.github.io/change_log/release-2.6/#safe_mode-deprecated |
PoC with latest version:
using
safe_mode="escape"
:It will trigger an alert box in Chrome. I think it will be a better approach to encode the incomplete tags as well to prevent it.
https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
The text was updated successfully, but these errors were encountered: