So, it came to my attention, that links can contain JavaScript code, which is nothing new in general, but I would've supposed it to be filtered out for Markdown, at least with the pulldown_cmark_escape::escape_html method. There seems to be no way to control which protocols are allowed in links, so theoretically I could put any kind of non-http protocol in the link. Is this supposed to be a feature? Personally I would prefer to be able to whitelist or blacklist protocols somewhere.
I would like to at least have a note on this in the docs as this can be pretty big spot for some XSS vulnerability when taking user-Markdown and outputting it to the web.
I got some example code here:
fn main() {
let markdown = r#"
# Hello World
[click me](javascript:alert('test'))
[click me](tel:+49123123123)
"#;
let mut markdown_filtered = String::new();
pulldown_cmark_escape::escape_html(&mut markdown_filtered, &markdown).ok();
let mut html = String::new();
let parsed = pulldown_cmark::Parser::new(&markdown_filtered);
pulldown_cmark::html::push_html(&mut html, parsed);
println!("{html}")
}These are my dependencies:
[dependencies]
pulldown-cmark = "0.13"
pulldown-cmark-escape = "0.11.0"
The produced HTML:
<h1>Hello World</h1>
<p><a href="javascript:alert('test')">click me</a>
<a href="tel:+49123123123">click me</a></p>
So, it came to my attention, that links can contain JavaScript code, which is nothing new in general, but I would've supposed it to be filtered out for Markdown, at least with the
pulldown_cmark_escape::escape_htmlmethod. There seems to be no way to control which protocols are allowed in links, so theoretically I could put any kind of non-http protocol in the link. Is this supposed to be a feature? Personally I would prefer to be able to whitelist or blacklist protocols somewhere.I would like to at least have a note on this in the docs as this can be pretty big spot for some XSS vulnerability when taking user-Markdown and outputting it to the web.
I got some example code here:
These are my dependencies:
The produced HTML: