XSS Vulnerability

[jhelou96]

Hey,

someone pointed out an issue in another Angular markdown library about XSS vulnerability and it seems that this library presents the same issue as well.

Links are not being validated and as such, the following code could be used to execute javascript code:

[Click Me](javascript:alert('Injected!'%29)

[jfcere]

@jhelou96 thanks for reporting this, i'll look into it.

[jfcere]

Follow up

I made a PR to use Angular DomSanitizer but it currently breaks table alignments because marked parser uses style attribute style="align-text: ..." but this is considered XSS vulnerable and it is striped by the sanitization. They are changing the way to handle table alignment for align attribute align="...", which will solve the problem, but although the changes are in their master branch it has not been released yet.

Marked built-in sanitizer

Right now, there is an option when configuring the MarkdownModule that allows you to use marked built-in sanitizer. In the long run, they are planing to remove this feature as I saw in this PR so my PR is what should be done once they removed the sanitizer on their end and they release the fix for table alignment.

TL;DR

You can sanitize the markdown by setting the sanitize property to true when importing the MarkdownModule like this:

MarkdownModule.forRoot({
  provide: MarkedOptions,
  useValue: {
    gfm: true,
    tables: true,
    breaks: false,
    pedantic: false,
    sanitize: true, // enable marked built-in html sanitizer
    smartLists: true,
    smartypants: false,
  },
}),

You can report to the documentation for MarkdownModule configuration in the README.md file for more information.

[ganeshkbhat]

@jfcere is this closed or I yet have to sanitize my previous version v1.6? I saw this:

You can sanitize the markdown by setting the sanitize property to true when importing the MarkdownModule like this: Which version would this be?

[jfcere]

It is closed because you can already sanitize by setting property sanitize: true when providing MarkedOptions configuration with MarkdownModule.forRoot({ .... }). But the value is set to false by default which means you have to provide MarkedOptions to activate sanitize HTML.

This feature is available since v1.5.0.
See my previous #65 (comment) for an example.

[ganeshkbhat]

Ok cool. Thanks. Sorry for replying late. In what kind of cases do script tags or any javascript gets applied other than the link javascripts? Hopefully none right? Just making sure.

[jfcere]

I am not an expert on that matter but I know Javascript can be injected into different html elements such as script, link, body and some other tags and it can also be injected into CSS properties like background-url.

I would suggest you to read the following article: https://www.acunetix.com/websitesecurity/cross-site-scripting/ ... it's really interesting if you are not familiar with XSS vulnerability and it shows a couple of examples.

[ganeshkbhat]

ok. neither me. i will sanitise. :-)

[learnwell]

@jfcere You should let them know about the sanitize flag here as they've issued a security advisory:
https://nodesecurity.io/advisories/892

[KingDarBoja]

@jfcere You should let them know about the sanitize flag here as they've issued a security advisory:
https://nodesecurity.io/advisories/892

Same here, got the security warning on this package.

[jfcere]

@learnwell, @KingDarBoja thx for getting this to my attention.

I sent a support request to NPM to revoke the security advisory as sanitze option can be activated to use Angular's DOM sanitization.

As if it wasn't enough, the consumer has also the flexibility to provide his own sanitize function with sanitizer: function property through MarkedOptions when setting sanitize: true.

MarkdownModule.forRoot({
  provide: MarkedOptions,
  useValue: {
    gfm: true,
    tables: true,
    breaks: false,
    pedantic: false,
    sanitize: true, // will use Angular DOM sanitizer
    smartLists: true,
    smartypants: false,
  },
}),