[Security] Vulnerable to XSS attacks. #56

OmkarK45 · 2020-10-28T09:02:39Z

Issue : The textarea doesn't do any validation or sanitize any input to it.

What is happening : This makes editor execute inline html code.

How to reproduce ? : Simply type <img src onerror="alert('hey!')"/> in input box

The text was updated successfully, but these errors were encountered:

OmkarK45 · 2020-10-28T09:04:33Z

Screenshot

jaywcjlove · 2020-10-28T12:11:55Z

<MDEditor
  value="Hello Markdown!"
  previewOptions={{
  
  }}
/>

transformLinkUri - function|null Function that gets called for each encountered link with a single argument - uri. The returned value is used in place of the original. The default link URI transformer acts as an XSS-filter, neutralizing things like javascript:, vbscript: and file: protocols. If you specify a custom function, this default filter won't be called, but you can access it as require('react-markdown').uriTransformer. If you want to disable the default transformer, pass null to this option.
escapeHtml - boolean Setting to false will cause HTML to be rendered (see notes below about proper HTML support). Be aware that setting this to false might cause security issues if the input is user-generated. Use at your own risk. (default: true).
skipHtml - boolean Setting to true will skip inlined and blocks of HTML (default: false).

OmkarK45 · 2020-10-28T12:16:01Z

Thank you for replying. I will try this ✌️

OmkarK45 · 2020-10-28T13:20:58Z

Update : Your answer fixed the issue. Thanks again. I'm closing the issue now.

OmkarK45 · 2020-10-30T08:10:18Z

[image: image.png] <MDEditor height={400} value={value} onChange={setValue} previewOptions={{ transformLinkUri: null, skipHtml: true, }} />

On Fri, Oct 30, 2020 at 2:29 AM Antwan Sherif ***@***.***> wrote: @OmkarK45 <https://github.com/OmkarK45> Can you share with me a code snippet of the settings you used? Because adding "" to the editor still produces the alert! — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#56 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AK3SOWXIUUQAOYCYTRQGMK3SNHJSBANCNFSM4TCAYWRQ> .

jaywcjlove · 2021-12-08T13:50:29Z

OmkarK45 closed this as completed Oct 28, 2020

jaywcjlove mentioned this issue Nov 15, 2020

A tag don't work uiwjs/react-markdown-preview#40

Open

Provide feedback