Epiceditor – Cross-Site Scripting

EpicEditor Introduction

EpicEditor is an embeddable JavaScript Markdown editor with split fullscreen editing, live previewing, automatic draft saving, offline support, and more. For developers, it offers a robust API, can be easily themed, and allows you to swap out the bundled Markdown parser with anything you throw at it.

The project url:https://github.com/OscarGodson/EpicEditor

Causes of Vulnerability

EpicEditor uses marked.js(https://github.com/chjj/marked) to render the page, but does not filter the input tags, resulting in an XSS vulnerability.

TEST version


Vulnerability reproduction

Create new test.html, reference edipeditor.js

 And then visit test.html, in the editor, <img src = 0 onerror = alert (1)>, click on the preview, the results as shown below


Bug fixes

marked.defaults = {
 gfm: true,
 tables: true,
 breaks: false,
 pedantic: false,
 sanitize: false,
 silent: false,
 highlight: null

Set sanitize to true, or call marked.setOptions ({sanitize: true}) in the previous render;