Simplemde-markdown-editor: XSS Issues

Created on 14 Nov 2017  路  4Comments  路  Source: sparksuite/simplemde-markdown-editor

Hi, your preview mode has a major XSS issue.

Add this text in your demo, toggle preview and click the word play.

Go ahead, <div onclick="alert('test')">play</div> around with the editor!

Most helpful comment

@nivv demos are suppose to be representative of how a library should be used in the wild. @mbeckenbach is right that this is an issue. In the wild the markdown being edited/saved is likely visible and editable by multiple users.

All 4 comments

@mbeckenbach maybe I'm being stupid, but in this case you can only XSS attack yourself?

@nivv demos are suppose to be representative of how a library should be used in the wild. @mbeckenbach is right that this is an issue. In the wild the markdown being edited/saved is likely visible and editable by multiple users.

I feel like this is not an issue with SimpleMDE itself. It is designed to be a Markdown editor, which means it is designed to allow embedded HTML. Protecting against a non-trusted user's input is outside of the scope of SimpleMDE.

I think they should attach a warning about this, because there are plenty of naive developers out there, but it's up to the dev to protect against XSS. For example, I am using SimpleMDE both with its sanitization option enabled (and server-side sanitization of course) for untrusted users, and a non-sanitized version on a form only accessible by an admin, so that I can utilize HTML if I need to. A more complex use case could whitelist certain HTML uses and block others.

I am not the author, but I found this writeup extremely helpful:
https://github.com/showdownjs/showdown/wiki/Markdown's-XSS-Vulnerability-(and-how-to-mitigate-it)

Was this page helpful?
0 / 5 - 0 ratings

Related issues

liniu picture liniu  路  3Comments

christianmalek picture christianmalek  路  5Comments

abr4xas picture abr4xas  路  3Comments

asvae picture asvae  路  3Comments

garethrbrown picture garethrbrown  路  5Comments