Possible XSS injection?

Question

gluntn opened this issue 5 years ago · comments

Preface: I don't know enough about XSS injection, and I've only used the online demo. Just thought I'd share this.

I tried messing around with the script styling:

Hello there

And by adding a # before the backticks, a script-tag was generated.

#```<script>alert("1")</script>
hello
\```

(minus the backslash) became

<h1\>```<script\>alert(1)</script></h1>
<p>hello\</p>
<pre><code></code></pre>

Is this the correct behaviour?

Aidan Woods · Answer 1 · Thu Apr 04 2019 01:16:14 GMT+0800 (China Standard Time)

This is expected behaviour by default (since markdown itself permits HTML), however there is safe-mode if you want to accept user-input safely.

William · Answer 2 · Thu Apr 04 2019 01:17:34 GMT+0800 (China Standard Time)

Nice! Okay, that's good! 😁