Posts F[0x04] Reflected XSS in Markdown Live Preview

F[0x04] Reflected XSS in Markdown Live Preview

[Backdated Post]Date of finding: 13/08/2020 Actual date of publication: 25/10/2020[Backdated Post]

In this post I will describe a (small) vulnerability I discovered when testing the security of online markdown editors.

The specific editor in which I found this reflected XSS vulnerability was Markdown Live Preview.

The Finding

As described in this issue, the vulnerability can be exploited by entering javascript anywhere in the editor.

I could not find a way to turn this into a stored XSS attack, since the platform did not allow me to store and/or share the markdown I wrote down, a common feature in other online editors.


Sanitizing the user-supplied markdown remediates this vulnerability, as is showcased in the applied fix.

This post is licensed under CC BY 4.0 by the author.
Hell is empty and all the devils are here.