-
Notifications
You must be signed in to change notification settings - Fork 155
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
XSS when parsing math expression #26
Comments
fix XSS vulnerability when katex fails to render
Bug BountyWe have opened up a bounty for this issue on our bug bounty platform. Want to solve this vulnerability and get rewarded 💰? Go to https://huntr.dev/ We will submit a pull request directly to your repository with the fix as soon as possible. Want to learn more? Go to https://github.com/418sec/huntr 📚 Automatically generated by @huntr-helper... |
🛠️ A fix has been provided for this issue. Please reference: 418sec#1 🔥 This fix has been provided through the https://huntr.dev/ bug bounty platform. |
By default, invoke KaTeX in ‘throwOnError:false‘ mode, so that it will produce _something_ from any input, and in particular, something which is guaranteed not to allow any live HTML tags through from the input. (Unless you are using ‘trust:true‘, in which case you presumably know what you are doing and why.) throwOnError:true mode can be re-enabled with plugin options, but then this plugin will **not** catch any exceptions that are thrown, leaving recovery up to a higher level. Since this is a significant behavior change, but one that is more likely to *fix* bugs in dependent programs than to introce them, the version number is now 2.1.0. Fixes waylonflinn#26, waylonflinn#30, and waylonflinn#7. I would like to thank @khrykin, poster of waylonflinn#7, for the idea that maybe the exception handlers inside this plugin should just be completely removed.
Look at: https://github.com/waylonflinn/markdown-it-katex/blob/master/index.js#L168
Once the parser returns error, it would return
katex
without sanitizing as HTML tags.To trigger this
catch
block, you can easily put one more "%" character.Try it on live demo http://waylonflinn.github.io/markdown-it-katex/
$<img src=a onerror=alert(1)>$
, nothing happens$<img src=a onerror=alert(1)>%$
you can see the alert dialog.Consider this affects many real-world products.
The text was updated successfully, but these errors were encountered: