3

The primary XSS vulnerability in (PHP) markdown after disallowing HTML tags seems to be that it allows links like this:

[foo](javascript:alert('xss'))

which will turn into

<a href="javascript:alert('xss')">foo</a>

and the same applies for <img src="">.

I'm currently developing a very basic Q&A section on a site, and I use markdown for the questions and the answers. I can quite confidently say that the only legitimate use of links on this site will be http:// or https:// links.

If I modified the regex markdown uses to process links and allowed only urls beginning with the characters http, would that prevent XSS attacks?

P.S. This isn't part of my current question, but I would be much obliged if some kind soul showed me how to modify the frustratingly complex regex in question.

EDIT: I have already read PHP Markdown XSS Sanitizer and the only reason I'm asking this question is because I'm considering an alternate approach. My question is not 'How to sanitize markdown output to prevent XSS' but rather, 'Will this approach prevent XSS attacks'? As such, it is not a duplicate, it is an alternative. Also, doesn't the fact that this question received upvotes show that there are at least some people who are wondering the same thing I am even though the earlier question exists?

Community
  • 1
  • 1
Vivek Ghaisas
  • 961
  • 1
  • 9
  • 24
  • I would say take a look at [htmlentities](http://php.net/manual/en/function.htmlentities.php) – HamZa May 21 '13 at 08:48
  • @HamZaDzCyberDeV What about encoded urls? – Vivek Ghaisas May 21 '13 at 08:48
  • I don't know how exactly markdown works, but htmlentities will convert this `foo` to this `<a href="javascript:alert('xss')">foo</a>`. – HamZa May 21 '13 at 08:51
  • @HamZaDzCyberDeV I misunderstood last time, sorry. The problem with `htmlentities` is that it won't allow legitimate links through. I don't have a problem with normal `http://www.google.com` kind of links. – Vivek Ghaisas May 21 '13 at 08:53
  • Ah (facepalm) you're right ... – HamZa May 21 '13 at 08:53
  • Can you provide the regex or is it too big ? – HamZa May 21 '13 at 08:58
  • It's a multipart process. I'll try and figure out what's actually going on and then provide the regex if possible. – Vivek Ghaisas May 21 '13 at 09:01
  • @HamZaDzCyberDeV there are 3 functions, a total of around 3000 characters, so yeah, I think it would too much. – Vivek Ghaisas May 21 '13 at 09:07
  • What you could do is the following, use a HTML parser to get all the links and maybe ` – HamZa May 21 '13 at 09:10
  • let us [continue this discussion in chat](http://chat.stackoverflow.com/rooms/30312/discussion-between-vivek-ghaisas-and-hamza-dzcyberdev) – Vivek Ghaisas May 21 '13 at 09:14
  • 1
    look at the related questions. The most popular answer seems to be to pass the result of the Markdown parser to HtmlPurifier. – Carlos Campderrós May 21 '13 at 10:28
  • @CarlosCampderrós I've read that question, and am searching for alternate solutions, such as the one I proposed above. – Vivek Ghaisas May 21 '13 at 12:43

0 Answers0