HackerOne: Improper filtering of classes used in codeblocks in Markdown

2014-05-22T13:55:53
ID H1:12815
Type hackerone
Reporter markijbema
Modified 2014-07-08T10:00:25

Description

Redcarpet just uses the name of the language as the classname of the element. So if the classnames are of significance to the site, one can break the site using this. For instance, this report disables the topbar, and can trigger the user into opening a popup. Proof of concept:

js-topbar i eat the topbar js-share-link i open a popup