xss vulnerability in demo page #1294
Comments
UziTech
added
L0 - security
|
@UziTech the report is not disclosed so only you and another person are able to access it. |
|
@davisjam to @lirantal's point, what is the standard practice regarding reporting this kind of thing? This XSS is not on the Marked library - it is on a site we own and provide as a service to users and as a marketing tool. Therefore, we, the committers, are the ones running accept/mitigate/etc. against the vulnerability. This is also fixed by #1295; so, I don't think we need to update the README - just want to know what the the MO is. |
|
@joshbruce this was reported on hackerone.com and I was invited to review the report. The README notice is to remind people using marked from NPM that marked does not sanitize output by default and that displaying user generated markdown can be dangerous. |
|
@uk1free Hi Mark Murray, we appreciate that your are following the development of marked but please do not spam our issue tracker When you reply to the email from GitHub, your message is sent to 400 people watching this repository and it is a waste of time for 400 people to view a message that says "M". Thanks! 😄 |
and others
Describe the bug
Our demo page allows xss
We should try to mitigate this similar to commonmark's demo page
We should also have a disclaimer in our documentation about possible xss vulnerability with displaying unsanitized output
related #1232
To Reproduce
Steps to reproduce the behavior:
Expected behavior
Javascript should not execute
The text was updated successfully, but these errors were encountered: