XSS in markdown filter · Issue #9292 · netbox-community/netbox (original) (raw)

NetBox version

v3.2.2

Python version

3.8

Steps to Reproduce

The markdown-filter uses Python-Markdown with the Fenced Code Blocks extension (https://python-markdown.github.io/extensions/fenced_code_blocks/) to render markdown formatted text. ( https://github.com/netbox-community/netbox/blob/8d682041a43b6176198f64bd80a46ea9ed99d2d8/netbox/utilities/templatetags/builtins/filters.py#L140,L167 )

It is possible to break out of the HTML-attributes added by the fenced code blocks extension - to form a new, arbitrary, HTML-tag. Since the rendering of markdown HTML occurs after the stripping of HTML-tags, this will avoid the sanitization made by django.utils.html.strip_tags.

The following payload will trigger a XSS wherever the markdown-filter is being used:

``` { ."><script/}
alert(/XSS/);
/*

```

Expected Behavior

If possible - sanitizate the end-result of the markdown processing, so that even if Python-Markdown fails to strip or incorrectly format HTML an attacker wouldn't be able to abuse it.

Observed Behavior

XSS