XSS: Javascript execution through links

[iamareebjamal]

Posting this:

[Just Regular Link](javascript:alert(1))

Renders

A link which will show alert on click. Should this be considered an XSS vulnerability and mitigated by library itself or by the users by creating a custom parser?

[vsch]

@iamareebjamal, I think an option is needed to filter out some URI formats for links. I will add it. That way custom link resolver will only be needed for special cases.

[iamareebjamal]

This has some info on flaws in other markdown renderers https://www.youtube.com/watch?v=0dgmeTy7X3I

[vsch]

• Fix: XSS: Javascript execution through links #221, XSS: Javascript execution through links, add HtmlRenderer.SUPPRESSED_LINKS
  default "javascript:.*", a regular expression to suppress any links that match. The test
  occurs before the link is resolved using a link resolver. Therefore any link matching will be
  suppressed before it is resolved. Likewise, a link resolver returning a suppressed link will
  not be suppressed since this is up to the custom link resolver to handle.

  Suppressed links will render only the child nodes, effectively [Something New](javascript:alert(1)) will render as if it was Something New.

  Link suppression based on URL prefixes does not apply to HTML inline or block elements. Use
  HTML suppression options for this.

[bvn13]

@vsch how to use SUPRESSED_LINKS ? could you give an example of configuration?

[vsch]

@bvn13, it is enabled by default but if you want to change the RegEx used for suppressing links you can add .set(HtmlRenderer.SUPPRESSED_LINKS, "your reg ex here") to your Parser/Renderer build options.

See the flexmark-java-samples module directory for examples.