|[Backdated Post]||Date of finding: 13/08/2020||Actual date of publication: 25/10/2020||[Backdated Post]|
In this post I will describe a (small) vulnerability I discovered when testing the security of online markdown editors.
The specific editor in which I found this reflected XSS vulnerability was Markdown Live Preview.
I could not find a way to turn this into a stored XSS attack, since the platform did not allow me to store and/or share the markdown I wrote down, a common feature in other online editors.
Sanitizing the user-supplied markdown remediates this vulnerability, as is showcased in the applied fix.