Another Filter bypass leading to XSS

[TheGrandPew]

On the latest release (2.3.8) a payload like this one can lead to xss and bypass safe_mode when set to true.

<lol@/ //id="pwn"//onclick="alert(1)"//**abc**

The Problem:
I think its due to just bad regex's not detecting non alphanumeric tags.

[avramit]

It seems like the parser doesn't escape tags that don't match the following pattern, so everything that isn't [a-zA-Z0-9_] can be used to bypass the escaping mechanism

python-markdown2/lib/markdown2.py

Line 2167 in 4d2fc79

_incomplete_tags_re = re.compile("<(/?\w+[\s/]+?)")

The following payload will also work:

<x- onclick="alert(1)"*Click Me*

[TheGrandPew]

Has been assigned CVE-2020-11888.

[xurble]

I didn't see the PR from @v1dhun before I submitted mine. However, having had more time to think about it, they're both flawed.

Mine can be defeated by this:
<x:// onclick="alert(1)"*Click Me*

The other can be defeated by this
<x- onclick ="alert(1)"*Click Me*
Also, it breaks a bunch of unit tests.

This needs a little more thought

[v1dhun]

HI @xurble ,
I updated the code with checking white-spaces, Now its working fine.Could you please check it

[huntr-helper]

👋 Hey! We've recently opened a bug bounty against this issue, so if you want to get rewarded 💰 for fixing this vulnerability 🕷, head over to https://huntr.dev!

[xurble]

@v1dhun I think we've both fixed it right now. Either would be OK, or the maintainers might have a better idea altogether.

[kravietz]

Regex is going to be always bypassed as it assumes specific syntax while combinations for a renderable HTML are practically unlimited. This is one of the fundamental recommendations from OWASP XSS Prevention Cheat-sheet.

I'd recommend running the input text through bleach which is a whitelist-based HTML sanitizer.

I had a look at the markdown2 code but to be honest I don't know the code base enough to be able to see see an obvious place to plug it in.

[nicholasserra]

I merged @xurble PR as it was on the main repo. LGTM, thank you!

I'm a little hesitant to introduce another library like bleach to sanitize final output. But it may be a good solution. Needs investigating.

[kravietz]

@nicholasserra Yes, that's the classic dilemma. As developer I would probably prefer a big fat notice in the documentation stating that the main purpose of the library is not to sanitize untrusted code but to render Markdown, just to set the expectations right.

[thmo]

Does this warrant a new release?
The 2.3.8 release is about a year old...

[xurble]

If it sways your thinking, the library is flagged by sentry, which is how I discovered the issue.