vulnerability cross-site scripting (xss)
severity 7.2
language javascript
registry npm


I would like to report XSS vulnerability in pandao/editor.md Implemented Html tag filtering doesn't work for self clossing tags, leading to posible code injection on this elements


module name: Editor.md version: all versions

Module Description

Editor.md : The open source embeddable online markdown editor (component), based on CodeMirror & jQuery & Marked.

Weekly Downloads


Vulnerability Description

XSS in editor.md is avoided by using filterHTMLTags which uses a RegExp to replace possible dangerous content, unfortunetly the RegExp doesn't handle self clossing tags, making it possible to execute code


Insert in editor a self clossing element with event to execute code

  1. Download editor.md git clone https://github.com/pandao/editor.md
  2. Go into directory cd editor.md
  3. Make the content available with any web server php -S localhost:8080
  4. open http://localhost:8080/examples/html-tags-decode.html
  5. Filter code execution by clicking on Filter style,script,iframe|onclick,title,onmouseover,onmouseout,style (No code should be executed with this Filter)
  6. Insert element with payload usig the editor (New line is important):
    <img src="https://picsum.photos/200" style="position:fixed;left:0;top:0;width:200px;height:200px;z-index:100" onmouseover="alert('img execution...')"/>
  7. Code will be executed when passing the mouse over the image


This could have enabled an attacker to execute code remotely if the content of the editor is saved and then retrieved by some other user