Not vulnerable to XSS fast markdown library


#1

I’ve checked some available for ember markdown libraries and none of them have option to sanitize the output, which makes them vulnerable to XSS attacks and they are which i checked. Do you know any simple way to implement safe markdown in ember? One that is not vulnerable to xss attacks.


#2

I don’t have an answer to your question, instead I have a question, which libraries are vulnerable and do you have any tests you can share?


#3

Sure, community should be aware. Vulnerable are ember-cli-showdown (https://github.com/gcollazo/ember-cli-showdown) and ember-marked (https://github.com/huafu/ember-marked), i’ve checked third too that was vulnerable but i do not recall it name atm. While ember-marked is not vulnerable to all vectors because it’s doing basic sanitizing, it’s vulnerable to more sophisticated ones. ember-cli-showdown is vulnerable to all XSS vectors.


#4

Most markdown libraries do not attempt to prevent XSS or sanitize output.

Instead, we can sanitize the output with another library e.g. xss which provides a filterXSS function.

A format-markdown helper might look like:

Ember.Handlebars.registerBoundHelper('format-markdown', function(markdown) {
  markdown = Ember.Handlebars.Utils.escapeExpression(markdown);
  html = MarkdownLib.format(markdown);
  safeHtml = filterXSS(html);
  return new Ember.Handlebars.SafeString(safeHtml);
});

#5

thx gerry3, after more searching i’ve found remarkable library which has xss protection, i’ve tested some attack vectors and it seems it’s safe (links, img etc.) when you have custom html turned off. Anyway thanks!