Hello everyone,
tried with both 1.7.11 and 1.8.3 (on Windows10), working directly in the markdown editor.
If I have this simple javascript code as text, code or inline code
<img src="test" onerror="alert('123')"/>
it will be executed and pop up the alert and show a broken image sign below. This is everything but wanted, so I hope somebody can tell how to avoid this without "destroying" the code with e.g. an unwanted blank somewhere.
Thx in advance and nice greetings
I thought that was filtered out. Any chance you could open a bug report on GitHub to track this?
It is filtered actually but I guess it's broken for you. Do you have any plugin running?
stupid me, searched forever for a solution but completely forgot about the plugins.
"Rich Markdown" (v0.4.1) is/was the troublemaker.
Sorry for bothering and thx for checking!
That's an issue, I'm glad you found it. I'll make an update soon to fix it.
@t7d3l I've just pushed v0.4.2 which fixes this issue. Thanks for finding/reporting it! Please let me know if you run into any other issues.
@CalebJohn, it seems the noscript tag can also be used to cause an xss so you might want to add it to the list (I need to add it too).
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.