HackerOne: Markdown parsing issue enables insertion of malicious tags and event handlers

2017-12-20T22:09:47
ID H1:299728
Type hackerone
Reporter dr_dragon
Modified 2018-01-29T16:37:43

Description

When markdown is being presented as HTML, there seems to be a strange interaction between _ and @ that lets an attacker insert malicious tags.

Proof of Concept :

</http:<marquee>hello

is rendered converted to the following HTML:

&lt;p&gt;&lt;a title="/http:&lt;marquee" href="/http:%3Cmarquee" target="_blank"&gt;/http:&lt;marquee&gt;hello&lt;/p&gt; &lt;/marquee&gt;&lt;/a&gt;&lt;/p&gt; As you can see, the output includes a </http:<marquee tag that I can add arbitrary attributes (including event handlers).

Impact

When markdown is being presented as HTML, there seems to be a strange interaction between _ and @ that lets an attacker insert malicious tags.