• hxxo <a href="www.google.com">you</a>
    h**lo <a name="n" href="javascript:alert('xss')">you</a>
    [some text](javascript:alert('xss'))
    <a href="javascript:alert('xss')">some text</a>
    In this case, it was Markdown's syntax itself to create the dangerous link. No HTML XSS filter can catch this. And unless you start striping dangerous words like javascript (which would make this article extremely hard to write), there's nothing you can really do to filter XSS attacks from your input. Things get even harder when you tightly mix HTML with Markdown.

    Mixed HTML/Markdown XSS attack

    Consider the following piece of markdown:

    h**lo <a name="n"
    If we apply a XSS filter to this Markdown input to filter bad HTML, the XSS filter, expecting HTML, will likely think the <a> tag ends with the first character on the second line and will leave the text snippet untouched. It will probably fail to see that the href="javascript:…" thing is part of the <a> element and leave it alone. But when Markdown converts this to HTML, you get this:

    <p>h**lo <a name="n"

  • ![0_1533513985583_reset1.JPG](Uploading 100%)

Log in to reply

Looks like your connection to Dream11 was lost, please wait while we try to reconnect.