Epiceditor – Cross-Site Scripting

EpicEditor Introduction

EpicEditor is an embeddable JavaScript Markdown editor with split fullscreen editing, live previewing, automatic draft saving, offline support, and more. For developers, it offers a robust API, can be easily themed, and allows you to swap out the bundled Markdown parser with anything you throw at it.

The project url:https://github.com/OscarGodson/EpicEditor

Causes of Vulnerability

EpicEditor uses marked.js(https://github.com/chjj/marked) to render the page, but does not filter the input tags, resulting in an XSS vulnerability.

TEST version

EpicEditor-0.2.2

Vulnerability reproduction

Create new test.html, reference edipeditor.js

 And then visit test.html, in the editor, <img src = 0 onerror = alert (1)>, click on the preview, the results as shown below

 

Bug fixes

marked.defaults = {
 gfm: true,
 tables: true,
 breaks: false,
 pedantic: false,
 sanitize: false,
 silent: false,
 highlight: null
};

Set sanitize to true, or call marked.setOptions ({sanitize: true}) in the previous render;

Sponsored Post Learn from the experts: Create a successful blog with our brand new courseThe WordPress.com Blog

Are you new to blogging, and do you want step-by-step guidance on how to publish and grow your blog? Learn more about our new Blogging for Beginners course and get 50% off through December 10th.

WordPress.com is excited to announce our newest offering: a course just for beginning bloggers where you’ll learn everything you need to know about blogging from the most trusted experts in the industry. We have helped millions of blogs get up and running, we know what works, and we want you to to know everything we know. This course provides all the fundamental skills and inspiration you need to get your blog started, an interactive community forum, and content updated annually.