Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

XSS via <iframe srcdoc> #654

Open
tosmolka opened this issue Jan 31, 2025 · 1 comment
Open

XSS via <iframe srcdoc> #654

tosmolka opened this issue Jan 31, 2025 · 1 comment

Comments

@tosmolka
Copy link

Hi, not sure if this a known issue and accepted risk for this library or not.

It seems the playground environment at https://markdown-to-jsx.quantizor.dev/ permits <iframe> element and srcdoc tag. This can be turned into XSS/arbitrary JS code execution.

How can an app that uses markdown-to-jsx library protect against these types of threats? Set disableParsingRawHTML to true? Anything else?

Is this dangerous behavior enabled by default? Would it be possible to implement secure defaults (a.k.a. "Secure by Default") so that security protections are enabled and enforced by default and users have a way to opt-out if needed?

Thank you.

Image
@Akshay090
Copy link

another test snippet for this issue

<IFRAME
SRC="javascript:alert(document
.domain);"></IFRAME>

# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Akshay090 @tosmolka