Skip to content

Instantly share code, notes, and snippets.

@JoshData
Last active February 9, 2017 15:59
Show Gist options
  • Save JoshData/b615f60300c2ca272030a4b637e6eb23 to your computer and use it in GitHub Desktop.
Save JoshData/b615f60300c2ca272030a4b637e6eb23 to your computer and use it in GitHub Desktop.
Is your CommonMark renderer safe?

Potential CommonMark Exploits

This CommonMark file demonstrates some potential exploits if untrusted input is rendered with a compliant renderer. The point of this file isn't to say that CommonMark is unsafe --- the features below are very useful in many situations and are worth having in the CommonMark spec --- but that it is not safe to give untrusted input to CommonMark renderers without taking precautions.

Github doesn't render gists using CommonMark, so they won't appear as exploits below. Look at the source of this gist for the actual CommonMark.

Exploits

This link will execute a script.

This one linkrefjs defined by a linkref will also.

Same with URL autolinks javascript:alert(window). (Email autolinks might be considered unsafe too since they will typically launch an external application.)

Raw HTML blocks can be used to insert links and on any tag arbitrary attributes that can inject scripting:

click me

Script tags:

<script>alert("yes this ran");</script>

Style tags:

<style>body { margin: 5em; }</style>

and any other tag. They can also appear <script>document.write('inline');</script>.

Images that pull remote content could be used by an attacker to sniff who is rendering the content:

remote content

and could also trigger logouts or other actions on sites that have CSRF vulnerabilities.

Image tags can also embed unsafe content, here a data URL holding an SVG image that uses inline scripting:

![](data:image/svg+xml, )

(One must also wonder if the embedded XML leads to other vulnerabilities, since XML processing often has network-related unintended consequences.)

Raw HTML can also render XHTML processing instructions, doctypes, and comments which while not generally unsafe could potentially trigger special behavior:

And finally fenced code blocks can cause the insertion of an abitrary CSS tag, generally prefixed by language-, but this is implementation dependent, so it may or may not be safe.

generates <code class="language-ruby">...
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment