Skip to content

search.js v4.12.1 Cross-Site Scripting #1549

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
1 task
Ares-X opened this issue Mar 31, 2021 · 5 comments · Fixed by #1551
Closed
1 task

search.js v4.12.1 Cross-Site Scripting #1549

Ares-X opened this issue Mar 31, 2021 · 5 comments · Fixed by #1551
Labels
needs discussion

Comments

@Ares-X
Copy link

Ares-X commented Mar 31, 2021

Bug Report

Steps to reproduce

1. create a simple docsify project

file tree

.
├── README.md
├── _sidebar.md
├── index.html
└── test
    └── xss.md

index.html

<!DOCTYPE html>

<html lang="en">
<head>
  <meta charset="UTF-8">
  <title>test</title>
  <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1" />
  <meta name="description" content="Description">
  <meta name="viewport" content="width=device-width, user-scalable=no, initial-scale=1.0, maximum-scale=1.0, minimum-scale=1.0">
  <link rel="stylesheet" href="//cdn.jsdelivr.net/npm/docsify/lib/themes/vue.css">
  <link rel="stylesheet" href="/css/sidebar.css">
</head>
<body>

  <div id="app"></div>

  <script>
    window.$docsify = {
      loadSidebar: true,
      homepage: './README.md',
      alias:{
        '/.*/_sidebar.md': '/_sidebar.md',
      },
      autoHeader: true,
      auto2top: true,
      search: {
        noData: {
          '/': 'No results!'
        },
        paths: 'auto',
        placeholder: {
          '/': 'Search'
        },
        hideOtherSidebarContent: true,
        depth: 1
      },
      name: 'test',
    }
  </script>

  <script src="//cdn.jsdelivr.net/npm/docsify/lib/docsify.min.js"></script>
  <script src="//cdn.jsdelivr.net/npm/docsify/lib/plugins/search.js"></script>

</body>
</html>

xss.md

# xss test

    xss"><img src=1 onerror=alert(1)><"

_sidebar.md

- Test
  - [xss](./test/xss.md)
2. start a http server

image
image

when user search something near XSS payload and the javascript which should rendering as markdown will be execute

3. input x in search filed

image

What is current behaviour

What is the expected behaviour

Other relevant information

  • Bug does still occur when all/other plugins are disabled?

  • Your OS: Mac OS

  • Node.js version: v12.19.0

  • npm/yarn version:

  • Browser version:

  • Docsify version: 4.12.1

  • Docsify plugins: search.js

Please create a reproducible sandbox

https://xl9pw.csb.app/

Mention the docsify version in which this bug was not present (if any)
@sy-records
Copy link
Member

sy-records commented Apr 1, 2021
edited
Loading

You should not write the wrong content...

docsify does not filter errors content in the body.

cc @docsifyjs/reviewers

@Ares-X
Copy link
Author

Ares-X commented Apr 1, 2021

4 space or one tab for Code Blocks is a standard markdown syntax

# title

    code

i don't think this is a wrong content

@sy-records
Copy link
Member

Okay, I tested it without spaces...

xss"><img src=1 onerror=alert(1)><"

@Ares-X
Copy link
Author

Ares-X commented Apr 1, 2021

with out Code Blocks syntax markdown will rendering code as html
The problem comes from the search plug didn't appropriate encode Code Blocks and let " escaped
image
image

@sy-records
Copy link
Member

Yes, here's what I removed, I'm revisiting

@sy-records sy-records mentioned this issue Apr 1, 2021
Merged
9 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
needs discussion
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: Add escapeHtml for search sy-records/docsify
2 participants
@Ares-X @sy-records