Cross-site Scripting (XSS) - Stored in vanessa219/vditor


Reported on

Jan 23rd 2022


The Vanessa219/vditor is a markdown editor supported by browsers. When a user creates a link using the markdown syntax, the server does not URL-encode the double-quotes, so the user can escape the href attribute and trigger XSS using the on* attribute.

Proof of Concept

XSS PoC : [xss]("//onmousemove="alert(document.domain))
> I can insert an onerror. But I can't log in without a Chinese phone number, so I can't test

1. Open the
2. Enter the XSS PoC (Strangely, it doesn't insert at once, so I have to try inserting several times)
3. When the user hovers the mouse over the link, XSS is triggered via a mouse event.

Video :


Through this vulnerability, an attacker is capable to execute malicious scripts.

We are processing your report and will contact the vanessa219/vditor team within 24 hours. a year ago
Pocas modified the report
a year ago
We have contacted a member of the vanessa219/vditor team and are waiting to hear back a year ago
V validated this vulnerability a year ago
Pocas has been awarded the disclosure bounty
The fix bounty is now up for grabs
V marked this as fixed in 3.8.12 with commit 219f8a a year ago
V has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation