[SECURITY] autolinker plugin is vulnerable to XSS #1054
Comments
Rob--W
added a commit
to Rob--W/prism
that referenced
this issue
Nov 9, 2016
|
I have attached a patch to PR #1051. |
Rob--W
added a commit
to Rob--W/prism
that referenced
this issue
Nov 20, 2016
Golmote
pushed a commit
that referenced
this issue
Nov 20, 2016
* Skip non-own properties of env.attributes Use `Object.keys` instead of a for-in loop to find optional attributes. The former only grabs keys that are own properties, the latter also includes inherit properties from `Object.prototype`. This reduces the risk of XSS if an attacker somehow manages to manipulate the prototype chain of the Object prototype. * Fix root cause of XSS in autolinker plugin #1054 * command-line plugin: Safely encode attributes If an attacker has control over the values of the attributes "data-prompt", "data-user", or "data-host", then XSS was possible. This fixes the issue, by encoding quotes as the `"` entity. * show-language plugin: innerHTML -> textContent There is no need for `innerHTML` here. At best nothing happens, at worst XSS is possible (though the odds are negligible since the attacker would have to control the detected language). * toolbar plugin: innerHTML -> textContent
|
#1051 was merged. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The autolinker plugin enables XSS on websites that uses Prism.js to highlight user-generated content.
For example, edit
plugins/autolinker/index.htmland put the following string in one of the code blocks, e.g. at line 38. The plugin will turn the text into a link and enable XSS (in this example, hover over the link to see a dialog).There are ways to increase the impact of this vulnerability (i.e. instant exploitation), but to avoid putting unpatched websites at risk by unskilled trolls, I've only shown the above simple example.
The text was updated successfully, but these errors were encountered: