XSS Vulnerability Fixed

Last modified 3 years, 253 days ago

So an interesting thing about putting JavaScript in a website is that in order to be able to end a script, a </script> must be able to close a <script> tag. What this means is that you can never have a </script> in JavaScript. I forgot about this, and that led to the possibility of injecting JavaScript into anywhere I was using marked via something like </script><script>//your evil code here</script>.

The simple fix for this is to find any instance of </script>, and replace it with </'+'script> before passing it to marked.

In any case, I accidentally had this vulnerability since I switched to marked, and I've now fixed it. Fortunately, no one has exploited it, so I dodged a bullet there. As always, cyber security is about remaining vigilant. I haven't magically fixed everything, and no one ever can.

Edit: And when I originally posted this, I discovered another bug, fortunately this time not leading to an XSS vulnerability (as far as I know). I never escaped backslashes (you know, these: \) in here. That was leading to this post not even appearing!

Originally published September 23, 2016

Previous Post Next Post