tag:support.markedapp.com,2011-09-11:/discussions/questions/9089-reporting-a-vulnerabilityMarked: Discussion 2018-05-11T18:50:48Ztag:support.markedapp.com,2011-09-11:Comment/446750952018-02-06T18:10:40Z2018-02-06T18:10:40ZReporting a vulnerability?<div><p>This would be the proper channel, you can set a conversation to private<br>
if needed.</p>
<p>-Brett</p></div>Bretttag:support.markedapp.com,2011-09-11:Comment/446750952018-02-06T18:15:15Z2018-02-06T18:15:15ZReporting a vulnerability?<div><p>Hi Brett,<br>
I set the conversation to private and I have attached the report.<br>
Regards,<br>
Corben Leo</p></div>sxcuritytag:support.markedapp.com,2011-09-11:Comment/446750952018-02-06T18:47:17Z2018-02-06T18:47:17ZReporting a vulnerability?<div><p>So do you have any suggestions on how to prevent this vulnerability?<br>
Marked requires network requests to work with hosted resources, so<br>
blocking outgoing requests isn't an option. I used to strip script tags<br>
from documents automatically, but that stops people from loading their<br>
own libraries like Mermaid and other tools. I'd be open to suggestions.</p>
<p>-Brett</p></div>Bretttag:support.markedapp.com,2011-09-11:Comment/446750952018-02-06T19:17:55Z2018-02-06T19:17:55ZReporting a vulnerability?<div><p>Hi Brett,<br>
I would probably suggest implementing a Content Security Policy (<a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy">https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-S...</a>) of some sort. Blocking outgoing requests isn't a good idea as it would indeed mess with the usability of the application.</p></div>sxcuritytag:support.markedapp.com,2011-09-11:Comment/446750952018-02-06T19:50:54Z2018-02-06T19:50:54ZReporting a vulnerability?<div><p>You could always accept the risk as well and remove the <code>preview</code> part of the URL handler, which would make this much harder to exploit.</p></div>sxcuritytag:support.markedapp.com,2011-09-11:Comment/446750952018-02-06T20:31:15Z2018-02-07T16:51:13ZReporting a vulnerability?<div><p>I don't think CSP is feasible in this case. But just removing/limiting<br>
the preview function might be fair, I'm not sure many use that anyway.</p>
<p>What if when using the /preview handler, Marked stripped all scripts<br>
from the input? I'd list it as a security feature, and I don't think<br>
that in the use case for that query handler the functionality would be<br>
missed.</p>
<p>-Brett</p></div>Bretttag:support.markedapp.com,2011-09-11:Comment/446750952018-02-06T20:39:43Z2018-02-06T20:40:39ZReporting a vulnerability?<div><p>Yeah, a CSP would indeed be a bit hard to implement. I think limiting the preview function would be a feasible way to remediate this. Stripping event handlers and <code><script></code> tags would make this quite hard to exploit. There's not really a need for javascript to be executed from that URL preview function.</p>
<p>-Corben</p></div>sxcuritytag:support.markedapp.com,2011-09-11:Comment/446750952018-02-06T20:43:28Z2018-02-06T20:43:28ZReporting a vulnerability?<div><p>Sounds good. I'll prep the change for the next update, thanks for pointing this out.</p>
<p>Thanks,<br>
Brett</p></div>Bretttag:support.markedapp.com,2011-09-11:Comment/446750952018-02-06T22:36:43Z2018-02-07T02:47:07ZReporting a vulnerability?<div><p>Hey Brett,<br>
Is it alright if I publish this? I will make note that the next update will patch this issue.</p>
<p>Thanks,<br>
Corben Leo</p></div>sxcuritytag:support.markedapp.com,2011-09-11:Comment/446750952018-02-06T23:35:52Z2018-02-06T23:35:52ZReporting a vulnerability?<div><p>I'll leave that up to you. I'll try to get the update out as soon as possible.</p>
<p>Thanks,<br>
Brett</p></div>Bretttag:support.markedapp.com,2011-09-11:Comment/446750952018-02-07T02:47:26Z2018-02-07T02:47:26ZReporting a vulnerability?<div><p>Awesome, thanks Brett.<br>
-Corben</p></div>sxcuritytag:support.markedapp.com,2011-09-11:Comment/446750952018-02-07T04:32:19Z2018-02-07T04:32:19ZReporting a vulnerability?<div><p>This has been assigned a CVE: CVE-2018-6806</p></div>sxcuritytag:support.markedapp.com,2011-09-11:Comment/446750952018-02-07T16:50:45Z2018-02-07T16:50:45ZReporting a vulnerability?<div><p>By the way, I truly do appreciate your quick responses: keep up the good work.</p></div>sxcuritytag:support.markedapp.com,2011-09-11:Comment/446750952018-05-11T18:50:41Z2018-05-11T18:50:41ZReporting a vulnerability?<div><p>I'm not sure how to go about updating the CVE, but as of 2.5.11 this issue is mitigated as discussed. Marked strips all <code><script></code> tags, and also parses out any <code>on[Click/Load/mouse(enter|leave),etc.]</code> attributes on tags.</p></div>Brett