Epiceditor – Cross-Site Scripting

EpicEditor Introduction

EpicEditor is an embeddable JavaScript Markdown editor with split fullscreen editing, live previewing, automatic draft saving, offline support, and more. For developers, it offers a robust API, can be easily themed, and allows you to swap out the bundled Markdown parser with anything you throw at it.

The project url:https://github.com/OscarGodson/EpicEditor

Causes of Vulnerability

EpicEditor uses marked.js(https://github.com/chjj/marked) to render the page, but does not filter the input tags, resulting in an XSS vulnerability.

TEST version


Vulnerability reproduction

Create new test.html, reference edipeditor.js

 And then visit test.html, in the editor, <img src = 0 onerror = alert (1)>, click on the preview, the results as shown below


Bug fixes

marked.defaults = {
 gfm: true,
 tables: true,
 breaks: false,
 pedantic: false,
 sanitize: false,
 silent: false,
 highlight: null

Set sanitize to true, or call marked.setOptions ({sanitize: true}) in the previous render;


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s