Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

XSS Vulnerability

See original GitHub issue

Hey,

someone pointed out an issue in another Angular markdown library about XSS vulnerability and it seems that this library presents the same issue as well.

Links are not being validated and as such, the following code could be used to execute javascript code:

[Click Me](javascript:alert('Injected!'%29)

Issue Analytics

State:
Created 5 years ago
Comments:16 (9 by maintainers)

Top GitHub Comments

2reactions

jfcerecommented, Feb 17, 2020

⚠️ Breaking Change

Dependencies as been updated to support Marked 0.8.0 in latest ngx-markdown v9.0.0 release and brings some breaking changes regarding sanitization configuration.

Due to deprecation by Marked, the following properties has been removed from MarkedOptions when configuring the MarkdownModule:

sanitize: boolean
sanitizer: function

Instead, sanitization is now enabled by default when importing MarkdownModule.forRoot(). It uses Angular DomSanitizer with SecurityContext.HTML by default to avoid XSS vulnerabilities. The security level can be configured/turn-off by specifying the SecurityContext using sanitize option (outside markedOptions).

import { SecurityContext } from '@angular/core';

// enable default sanitization
MarkdownModule.forRoot()

// turn off sanitization
MarkdownModule.forRoot({
  sanitize: SecurityContext.NONE
})

Be sure to follow the sanitization section in the README file for instruction.

2reactions

jfcerecommented, Aug 28, 2019

I’ve communicated with NPM Security Team and after providing mitigation steps they removed the vulnerability report.

They are suggesting me to add a warning to the README.md documentation in order to bring this issue/workaround to user’s attention to avoid potential security risks.

A second option would be to switch the sanitize option to true by default and still add documentation on how to turn it off.

Action will be taken soon about the documentation and I’ll think about the default value of sanitize option.

Top Results From Across the Web

Cross Site Scripting (XSS) - OWASP Foundation

An XSS vulnerability allowing an attacker to modify a press release or news item could affect a company's stock price or lessen consumer...

Cross-site scripting (XSS) - Web Security Academy

Cross-site scripting (also known as XSS) is a web security vulnerability that allows an attacker to compromise the interactions that users have with...

Cross-site scripting - Wikipedia

Cross-site scripting (XSS) is a type of security vulnerability that can be found in some web applications. XSS attacks enable attackers to inject ......

What is Cross-site Scripting and How Can You Fix it? - Acunetix

A web page or web application is vulnerable to XSS if it uses unsanitized user input in the output that it generates. This...

What is Cross-Site Scripting? XSS Cheat Sheet - Veracode

In short, XSS vulnerabilities occur when input coming into web applications is not validated and/or output to the browser is not properly escaped...