Am 15.07.2017 um 23:54 schrieb tetyys:
very nice!
one question about the </ encoding:
https://github.com/rejectedsoftware/vibe.d/commit/e4a600f911218c49f9984734b8ba36f193e99c17
wouldn't this
https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Image_XSS_using_the_JavaScript_directive
pass normally?
If a user supplied image URL is passed to the "src" attribute unchecked,
then yes. But this would work regardless of the JSON escape rules and
really needs to be prevented by the application code.
However, I just noticed that this is still possible to exploit in the
Markdown processor. User defined HTML is filtered, but link targets are
passed to the rendered HTML as-is (just HTML encoded).
