Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Script injection vulnerability in search component
See original GitHub issueDescription
If any of your markdown documents contain script injection examples such as the following:
<style onload='alert("You executed this bit of JS");'></style>
You’ll trigger a script injection attack on yourself when the document shows up in the search result.
Expected behavior
I would expect mkdocs-material to not inject user-generated input straight into the DOM. This is happening due to the use of {{ __html }} in the search result component.
Actual behavior
It triggers an injection attack.
Steps to reproduce the bug
You can download a minimal working example here or follow the guide below
Put the following anywhere in a document and write a search query that finds the document
```
<style onload='alert("You executed this bit of JS");'></style>
```
or
`<style onload='alert("You executed this bit of JS");'></style>`
Package versions
I’m using verison 3.0.5 of the docker image
Project configuration
site_name: 'Example of injection'
theme:
name: 'material'
nav:
- Home: index.md
System information
- OS: macOS
- Browser: Chrome
Issue Analytics
- State:
- Created 5 years ago
- Comments:13 (10 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
Are you talking about this bug https://github.com/Python-Markdown/markdown/issues/746?
The bug has been fixed, but we are still waiting for an official release. It snuck in with the newest 3.0 release, but it will be fixed in the next release.
Great, I’ll prepare a release.