Uploaded image for project: 'Markdown Syntax'
  1. Markdown Syntax
  2. MARKDOWN-80

XSS via Markdown content

    XMLWordPrintable

Details

    • Unit
    • Unknown

    Description

      Steps to reproduce:

      1. Install the CommonMark markdown syntax.
      2. Login as user without script right.
      3. Edit any document and set the syntax to Markdown.
      4. Add to any field of that document or a comment the content <script>alert("XSS")</script>

      Expected result:

      No alert is displayed as the user doesn't have script right.

      Actual result:

      An alert with content "XSS" is displayed.

      Attachments

        Issue Links

          is related to

          Bug - A problem which impairs or prevents the functions of the product. MARKDOWN-70 Disabled raw HTML elements are not disabled

          • Major - Major loss of function.
          • Open

          Activity

            People

              pjeanjean Pierre Jeanjean
              MichaelHamann Michael Hamann
              Manu F
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: