Comments (5)
some1ataplace
commented on September 22, 2024
Maybe something like this. I did not test this yet.
To fix the XSS vulnerability, you need to sanitize the user input before rendering it as HTML. One way to do this is by using a library like bleach to clean the input and remove any potentially harmful content.
https://github.com/agusmakmun/django-markdown-editor/blob/master/martor/utils.py
import bleach
from django.utils.safestring import mark_safe
from martor import settings
from markdown import markdown
ALLOWED_TAGS = bleach.sanitizer.ALLOWED_TAGS + ['img', 'p', 'pre', 's', 'u', 'code', 'kbd', 'br']
ALLOWED_ATTRIBUTES = bleach.sanitizer.ALLOWED_ATTRIBUTES
ALLOWED_ATTRIBUTES.update({
'*': ['class', 'id'],
'img': ['src', 'alt', 'title'],
'a': ['href', 'rel', 'title'],
})
def markdownify(markdown_text):
"""
Convert markdown to html.
"""
html = markdown(text, extensions=settings.MARTOR_MARKDOWN_EXTENSIONS)
sanitized_html = bleach.clean(html, tags=ALLOWED_TAGS, attributes=ALLOWED_ATTRIBUTES)
return mark_safe(sanitized_html)
from django-markdown-editor.
GiJ03
commented on September 22, 2024
For reporting a valid issue, will I be eligible for a CVE?
from django-markdown-editor.
agusmakmun
commented on September 22, 2024
We have fixed some xss issues before, one of reason why we're using bleach is because of it.
But I can say xss issue is quite complex, especially on it payloads. But so far we're using these configuration in martor:
- Configuration: https://github.com/agusmakmun/django-markdown-editor#setting-configurations-settingspy
- Implementation: https://github.com/agusmakmun/django-markdown-editor/blob/master/martor/utils.py#L22
# URL schemes that are allowed within links
ALLOWED_URL_SCHEMES = [
"file", "ftp", "ftps", "http", "https", "irc", "mailto",
"sftp", "ssh", "tel", "telnet", "tftp", "vnc", "xmpp",
]
# https://gist.github.com/mrmrs/7650266
ALLOWED_HTML_TAGS = [
"a", "abbr", "b", "blockquote", "br", "cite", "code", "command",
"dd", "del", "dl", "dt", "em", "fieldset", "h1", "h2", "h3", "h4", "h5", "h6",
"hr", "i", "iframe", "img", "input", "ins", "kbd", "label", "legend",
"li", "ol", "optgroup", "option", "p", "pre", "small", "span", "strong",
"sub", "sup", "table", "tbody", "td", "tfoot", "th", "thead", "tr", "u", "ul"
]
# https://github.com/decal/werdlists/blob/master/html-words/html-attributes-list.txt
ALLOWED_HTML_ATTRIBUTES = [
"alt", "class", "color", "colspan", "datetime", # "data",
"height", "href", "id", "name", "reversed", "rowspan",
"scope", "src", "style", "title", "type", "width"
]Feel free to modify those, depend on your application needs.
@GiJ03 Can you share us what is your xss payload that causing the xss issue appear? So we can easily help you to resolve your issue. More xss payloads will be awesome.
Here is some test example:
django-markdown-editor/martor/tests/tests.py
Lines 94 to 110 in 2c745fe
from django-markdown-editor.
GiJ03
commented on September 22, 2024
You can find the commonly used XSS payloads below:
https://raw.githubusercontent.com/payloadbox/xss-payload-list/master/Intruder/xss-payload-list.txt
from django-markdown-editor.
agusmakmun
commented on September 22, 2024
I have tested above payloads, and seems all of them are passed in newest version.
So, I'll close this issue. Let me know if any payloads still facing this xss issue.
from django-markdown-editor.
Related Issues (20)
- incompatibility with Python versions below 3.9 HOT 7
- After version 1.6.26 the setting MARTOR_UPLOAD_URL is ignored HOT 6
- The editor does not work when setting a Content Security Policy HOT 1
- Loosen restriction on importlib-metadata HOT 4
- Emoji url is done HOT 1
- class tag doesn't render correctly HOT 2
- toolbar nav style issue HOT 1
- Error with markdownify HOT 1
- Adding a new instance in an admin inline results in Uncaught TypeError HOT 1
- Losing text when (semi)colons follow links. HOT 2
- preview is not displaying correctly for “ordered” and “unordered” list items. HOT 1
- 📣 Call for Contributors: Help Needed to Maintain and Enhance django-markdown-editor! HOT 6
- Enable specifying the size of an image HOT 1
- Django 5 & Python 3.12 support HOT 2
- Updating Editor Content with Javascript HOT 1
- Django 4.2.11 support HOT 2
- Copy/Paste clipboard images HOT 1
- Dynamic MARTOR_UPLOAD_URL HOT 1
- Improve documentation for using html HOT 2
- Stop tagging Django with a less than version. HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from django-markdown-editor.