Cross-site Scripting (XSS) via URI

[buglloc]

Browsers support both lowercase and uppercase x in hexadecimal form of HTML character entity (tested on Chromium && FF).
But marked unescape only lowercase:

// https://github.com/chjj/marked/blob/master/lib/marked.js#L1096-L1108

function unescape(html) {
	// explicitly match decimal, hex, and named HTML entities 
  return html.replace(/&(#(?:\d+)|(?:#x[0-9A-Fa-f]+)|(?:\w+));?/g, function(_, n) {
    n = n.toLowerCase();
    if (n === 'colon') return ':';
    if (n.charAt(0) === '#') {
      return n.charAt(1) === 'x'
        ? String.fromCharCode(parseInt(n.substring(2), 16))
        : String.fromCharCode(+n.substring(1));
    }
    return '';
  });
}

This allow attacker to create link with javascript code.
For example, this code:

var marked = require('marked');
marked.setOptions({
  renderer: new marked.Renderer(),
  sanitize: true
});

text = `
lower[click me](javascript:...)lower
upper[click me](javascript:...)upper
`;

console.log(marked(text));

Will render:

<p>lowerlower
upper<a href="javascript&#X3a;...">click me</a>upper</p>

Browser example: https://www.buglloc.com/marked.html
Tested on Marked v0.3.6 + Chromium 60.0.3112.90 and Firefox 55.0.1

[matt-]

You are right. this should should be a case-insensitive match:

html.replace(/&(#(?:\d+)|(?:#x[0-9A-Fa-f]+)|(?:\w+));?/ig

unfortunately the maintainer is not longer around to push a change to npm. I will push a change to the master branch but unfortunately that may be as far as this change goes.

[CSEMike]

Hi Matt -- did this issue ever result in a pull request? Thanks!

[joshbruce]

See #937

[matt-]

Just tested this and it is still an issue. Why was this closed? what tests were added?

[joshbruce]

See #926