Skip to content

Newline in markdown links bypasses XSS filter #9296

New issue
New issue
Closed
Closed
Newline in markdown links bypasses XSS filter#9296
Assignees
jeremystretch
Labels
status: acceptedThis issue has been accepted for implementationtype: bugA confirmed report of unexpected behavior in the application
@magicOz

Description

@magicOz
magicOz
opened on May 4, 2022

NetBox version

v.3.2.2

Python version

3.8

Steps to Reproduce

The markdown filter fails to sanitize/strip links and references which contains newlines (\n).

netbox/netbox/utilities/templatetags/builtins/filters.py

Lines 153 to 158 in 8d68204

pattern = fr'\[([^\]]+)\]\((?!({schemes})).*:(.+)\)'
value = re.sub(pattern, '[\\1](\\3)', value, flags=re.IGNORECASE)
# Sanitize Markdown reference links
pattern = fr'\[(.+)\]:\s*(?!({schemes}))\w*:(.+)'
value = re.sub(pattern, '[\\1]: \\3', value, flags=re.IGNORECASE)

The following payload will produce two links which both will trigger a XSS when clicked.

[XSS1][a]
[a
]: javascript:alert(/XSS1/)

[XSS2](
javascript:alert(/XSS2/))

Expected Behavior

Maybe add the flag re.DOTALL to the regexp?

Observed Behavior

XSS

Metadata

Metadata

Assignees

Labels

status: acceptedThis issue has been accepted for implementationtype: bugA confirmed report of unexpected behavior in the application

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions