# Reporting a vulnerability?

#### sxcurity

06 Feb, 2018 04:33 PM

Hey there, I've found a pretty high impact vulnerability in Marked, how can I report it?
Thanks much,
Corben

1. Support Staff Posted by Brett on 06 Feb, 2018 06:10 PM

This would be the proper channel, you can set a conversation to private
if needed.

-Brett

2. Posted by sxcurity on 06 Feb, 2018 06:15 PM

Hi Brett,
I set the conversation to private and I have attached the report.
Regards,
Corben Leo

3. Support Staff Posted by Brett on 06 Feb, 2018 06:47 PM

So do you have any suggestions on how to prevent this vulnerability?
Marked requires network requests to work with hosted resources, so
blocking outgoing requests isn't an option. I used to strip script tags
own libraries like Mermaid and other tools. I'd be open to suggestions.

-Brett

4. Posted by sxcurity on 06 Feb, 2018 07:17 PM

Hi Brett,
I would probably suggest implementing a Content Security Policy (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-S...) of some sort. Blocking outgoing requests isn't a good idea as it would indeed mess with the usability of the application.

5. Posted by sxcurity on 06 Feb, 2018 07:50 PM

You could always accept the risk as well and remove the preview part of the URL handler, which would make this much harder to exploit.

6. Support Staff Posted by Brett on 06 Feb, 2018 08:31 PM

I don't think CSP is feasible in this case. But just removing/limiting
the preview function might be fair, I'm not sure many use that anyway.

What if when using the /preview handler, Marked stripped all scripts
from the input? I'd list it as a security feature, and I don't think
that in the use case for that query handler the functionality would be
missed.

-Brett

7. Posted by sxcurity on 06 Feb, 2018 08:39 PM

Yeah, a CSP would indeed be a bit hard to implement. I think limiting the preview function would be a feasible way to remediate this. Stripping event handlers and <script> tags would make this quite hard to exploit. There's not really a need for javascript to be executed from that URL preview function.

-Corben

8. Support Staff Posted by Brett on 06 Feb, 2018 08:43 PM

Sounds good. I'll prep the change for the next update, thanks for pointing this out.

Thanks,
Brett

9. Posted by sxcurity on 06 Feb, 2018 10:36 PM

Hey Brett,
Is it alright if I publish this? I will make note that the next update will patch this issue.

Thanks,
Corben Leo

10. Support Staff Posted by Brett on 06 Feb, 2018 11:35 PM

I'll leave that up to you. I'll try to get the update out as soon as possible.

Thanks,
Brett

11. Posted by sxcurity on 07 Feb, 2018 02:47 AM

Awesome, thanks Brett.
-Corben

12. Posted by sxcurity on 07 Feb, 2018 04:32 AM

This has been assigned a CVE: CVE-2018-6806

13. Posted by sxcurity on 07 Feb, 2018 04:50 PM

By the way, I truly do appreciate your quick responses: keep up the good work.

14. Support Staff Posted by Brett on 11 May, 2018 06:50 PM

I'm not sure how to go about updating the CVE, but as of 2.5.11 this issue is mitigated as discussed. Marked strips all <script> tags, and also parses out any on[Click/Load/mouse(enter|leave),etc.] attributes on tags.

Formatting help / Preview (switch to plain text) No formatting (switch to Markdown)

### »

#### Attached Files

You can attach files up to 10MB

If you don't have an account yet, we need to confirm you're human and not a machine trying to post spam.

# Keyboard shortcuts

### Generic

? Show this help Blurs the current field

### Comment Form

r Focus the comment reply box Submit the comment

You can use Command ⌘ instead of Control ^ on Mac

## Recent Discussions

 20 Jan, 2020 09:17 PM Style Switcher 20 Jan, 2020 04:09 PM IMG link does not respect a space within the path 17 Jan, 2020 08:40 PM Typo in the deleted file screen 17 Jan, 2020 07:13 PM Marked 2 - Bear Preview 17 Jan, 2020 03:13 AM MathJax rendering errors - Scrivener

## Recent Articles

 Using JavaScript in Marked Custom CSS: Writing custom CSS for Marked License code has already been utilized Highlight sentences longer than a certain number of words How do I retrieve a lost license (direct version)