Artanis/pagedown

XSS: fails to escape link text in [<svg/onload=alert(1)//]() correctly

Closed this issue · 0 comments

GoogleCodeExporter commented 
> new Markdown.Converter().makeHtml('[<svg/onload=alert(1)//]()')
→ '<p><a href=""><svg/onload=alert(1)//</a></p>'

This displays an alert in Firefox (XSS). Demo: 
data:text/html;charset=utf-8,<p><a href=""><svg/onload=alert('XSS')//</a></p>

Expected output is:

→ '<p><a href="">&lt;svg/onload=alert(1)//</a></p>'

I.e. the `<` should always be escaped.

Original issue reported on code.google.com by mathias@qiwi.be on 9 Aug 2012 at 1:39