Post

Markdown Parser

Posted Updated
Preview Image
By 0xyf
1 min read
Markdown Parser

Challenge Description

XSS in Markdown fenced code block

Source Code Analysis

  • markdown.js
    1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22

      function parseMarkdown(markdownText) {
      const lines = markdownText.split('\n');
      let htmlOutput = "";
      let inCodeBlock = false;
	
      lines.forEach(line => {
          if (inCodeBlock) {
              if (line.startsWith('```')) {
                  inCodeBlock = false;
                  htmlOutput += '</code></pre>';
              } else {
                  htmlOutput += escapeHtml(line) + '\n';
              }
          } else {
              if (line.startsWith('```')) {
                  language = line.substring(3).trim();
                  inCodeBlock = true;
                  // add class to code block for syntax highlighting
                  htmlOutput += '<pre><code class="language-' + language + '">';
              } else {
                  line = escapeHtml(line);
                  line = line.replace(/`(.*?)`/g, '<code>$1</code>');

    Vulnerability Details:

    • It is possible to inject XSS code on the same line as the triple backtick
    • In markdown the triple backticks, is used to start a code block. After the 3 backticks, it is used to declare the language that resides in the code block. Since no input sanitization is done, we can inject xss there

Solution

GreyCTF 2024, Web
web/xss
This post is licensed under CC BY 4.0 by the author.