Le 2008-03-15 à 0:39, Waylan Limberg a écrit :

On Fri, Mar 14, 2008 at 11:22 PM, Michel Fortin

PHP Markdown also has a no-markup mode which would filter script tags
and any other HTML tags. But this doesn't prevent anyone from
inserting their own script on the page. Do you know you can inject a
script in a URL? Guess what this does:

    [link](javascript:alert%28'Hello%20world!'%29)

This is a good point, and something I hadn't thought about myself. I
would think that markdown should *not* allow that regardless of any
safe/no-markup/whatever-you-call-it mode. If someone legitimately
wants javascript in their links/images/etc then they should be writing
raw html. What do you think?

Well if you want your "safe" mode to be really safe, then sure you should not allow `javascript:` URIs indeed.

But in general I believe Markdown should work with any URI. Markdown is a mean of writing web documents of all kinds, not only content from external untrusted sources, and there are many legitimate reasons one would want to write a `javascript:` URI.

Why would you want a "non-safe" Markdown to disallow such URIs in its link syntax if we're going to be able to add them using HTML tags anyway?


Of course, then how do we do that? Some possabilites I came up with
without much thought:

1. Trunicate a url at "javascript:"
2. Completely remove the entire url (perhaps replace with blank string or "#")
3. Leave the markup for the entire link as plan text (in other words -
its not considered a match)
4. Do some kind of escaping (not sure what at this point) and leave it
in the url

Whatever you do, you first have to detect script URIs, all of them; this is no trivial matters. Most of these will run a script in IE or some other browser (based on the [XSS cheat sheet][1]):

    [link](vbscript:msgbox%28%22Hello%20world!%22%29)
    [link](livescript:alert%28'Hello%20world!'%29)
    [link](mocha:[code])
    [link](jAvAsCrIpT:alert%28'Hello%20world!'%29)
    [link](ja vas cr ipt:alert%28'Hello%20world!'%29)
    [link](ja vas cr ipt:alert%28'Hello%20world!'%29)
    [link](ja vas cr ipt:alert%28'Hello%20world!'%29)
[link](ja%09 %0Avas cr
ipt:alert%28'Hello %20world!'%29)
    [link](ja%20vas%20cr%20ipt:alert%28'Hello%20world!'%29)
    [link](live%20script:alert%28'Hello%20world!'%29)

I can't claim this is an exhaustive list, nor that they're all going to work, but it should give an idea of the problem at hand.

I think blacklisting known dangerous schemes is always going to leave holes. A better approach is to have a white list of known "safe" URI schemes and disallow any scheme not in that list. But would be utterly restrictive for any "non-safe" Markdown.

Security filters already exist to do that (like kses); I'd say it's much simpler *and* safer to use such a specialized filter on Markdown's output than trying to come with our own integrated within Markdown.

 [1]: http://ha.ckers.org/xss.html


Michel Fortin
[EMAIL PROTECTED]
http://michelf.com/


_______________________________________________
Markdown-Discuss mailing list
Markdown-Discuss@six.pairlist.net
http://six.pairlist.net/mailman/listinfo/markdown-discuss

Reply via email to