Skip to content

Instantly share code, notes, and snippets.

@brianlechthaler

brianlechthaler/Markdown_XSS_Test.md

Last active September 6, 2020 05:48
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save brianlechthaler/63150a3c6514f39ef461d75e3edc19f6 to your computer and use it in GitHub Desktop.
Save brianlechthaler/63150a3c6514f39ef461d75e3edc19f6 to your computer and use it in GitHub Desktop.
Download ZIP
Check whether a markdown parser is vulnerable to XSS in this interactive PSA
Raw
Markdown_XSS_Test.md

Markdown Cross-Site-Scripting (XSS) Sanitization Check

An interactive PSA by Brian Lechthaler

Proof of Concept

note: if you're viewing this on GitHub the following line willl not contain a clickable link. Thanks, GitHub security team!

Is your markdown parser vulnerable to XSS? click here to find out!

Is this unsafe?

This is totally harmless. All we're trying to do here is pop open an alert in the browser.

But think about the implications of this. We can run whatever javascript we'd like anywhere

Easy Instructions

  1. Obtain explicit permission from the owner of the app you're testing this on.

  2. Copy the unformatted version of this paste

  3. Try to "Preview" or "Submit"

  4. Try Clicking the link in the Proof of Concept.

Credits

License: Attribution-ShareAlike 2.0 Generic (CC BY-SA 2.0)

You can find me here:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment