XSS vulnerability in Markdown fields
thibaudcolas opened this issue · comments
Thibaud Colas commented
Our Markdown blocks allow arbitrary HTML (tested with a <script>alert('!')</script>), there’s no sanitisation step:
wagtail.org/wagtailio/utils/blocks.py
Lines 133 to 135 in 0eb6cc2
Example: https://wagtailio.production.torchbox.com/admin/pages/788/edit/
Based on a discussion with @wagtail/security, we believe this is unlikely to be exploited, and as such can be added to our backlog without an immediate plan to fix.
Possible solutions we discussed:
- Switch to wagtail-markdown, which appears to sanitize its output https://github.com/torchbox/wagtail-markdown/blob/main/src/wagtailmarkdown/utils.py#L21
- Use Wagtail’s own HTML filtering (https://github.com/wagtail/wagtail/blob/main/wagtail/whitelist.py), or bleach
- Switch to rich text