wagtail / wagtail.org

Wagtail’s official marketing website

Home Page:https://wagtail.org/

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

XSS vulnerability in Markdown fields

thibaudcolas opened this issue · comments

Our Markdown blocks allow arbitrary HTML (tested with a <script>alert('!')</script>), there’s no sanitisation step:

def render_basic(self, value, context=None):
md = markdown(value, extensions=["markdown.extensions.fenced_code", "codehilite"])
return mark_safe(md)

Example: https://wagtailio.production.torchbox.com/admin/pages/788/edit/


Based on a discussion with @wagtail/security, we believe this is unlikely to be exploited, and as such can be added to our backlog without an immediate plan to fix.

Possible solutions we discussed: