XSS in markdown rendering #5639

New Issue

Closed

opened 2025-12-29 19:30:25 +01:00 by adam · 14 comments

adam commented 2025-12-29 19:30:25 +01:00

Owner

Copy Link

Originally created by @SoufElhabti on GitHub (Nov 9, 2021).

Originally assigned to: @jeremystretch on GitHub.

NetBox version

v3.0.9

Python version

3.8

Steps to Reproduce

1. installed Netbox from docker https://hub.docker.com/r/netboxcommunity/netbox/
2. use any input that accepts markdown
3. submit this payload :

[37qpypz37qpypz37qpypz37qpypz37qpypz]  
37qpypz37qpypz37qpypz37qpypz37qpypz]: javascript:alert(1)

4. when the submiting the for click the link and the xss will fire up

Expected Behavior

the payload is dangerous and allowing XSS attack

Observed Behavior

executing javascript in admin dashboard

Originally created by @SoufElhabti on GitHub (Nov 9, 2021). Originally assigned to: @jeremystretch on GitHub. ### NetBox version v3.0.9 ### Python version 3.8 ### Steps to Reproduce 1. installed Netbox from docker `https://hub.docker.com/r/netboxcommunity/netbox/` 2. use any input that accepts markdown 3. submit this payload : ``` [37qpypz37qpypz37qpypz37qpypz37qpypz] 37qpypz37qpypz37qpypz37qpypz37qpypz]: javascript:alert(1) ``` 4. when the submiting the for click the link and the xss will fire up ### Expected Behavior the payload is dangerous and allowing XSS attack ### Observed Behavior executing javascript in admin dashboard

adam added the type: bugstatus: accepted labels 2025-12-29 19:30:25 +01:00

adam closed this issue 2025-12-29 19:30:25 +01:00

adam commented 2025-12-29 19:30:25 +01:00

Author

Owner

Copy Link

@jeremystretch commented on GitHub (Nov 9, 2021):

2. use any input that accepts markdown

Please specify exactly what you're doing.

@jeremystretch commented on GitHub (Nov 9, 2021): > 2. use any input that accepts markdown Please specify _exactly_ what you're doing.

adam commented 2025-12-29 19:30:26 +01:00

Author

Owner

Copy Link

@SoufElhabti commented on GitHub (Nov 9, 2021):

when for example a adding a site in /dcim/sites/ in the comment section submit the payload

 [37qpypz37qpypz37qpypz37qpypz37qpypz]  
37qpypz37qpypz37qpypz37qpypz37qpypz]: javascript:alert(1)

if this wasn't helpful please refer to the video i recorded for the POC
POC VIdeo

@SoufElhabti commented on GitHub (Nov 9, 2021): when for example a adding a site in `/dcim/sites/` in the comment section submit the payload ``` [37qpypz37qpypz37qpypz37qpypz37qpypz] 37qpypz37qpypz37qpypz37qpypz37qpypz]: javascript:alert(1) ``` if this wasn't helpful please refer to the video i recorded for the POC [POC VIdeo](https://drive.google.com/file/d/14xANXPj07IuAQ15qgO-UK48s7bgoemmz/view?usp=sharing)

adam commented 2025-12-29 19:30:27 +01:00

Author

Owner

Copy Link

@jeremystretch commented on GitHub (Nov 9, 2021):

I'm not able to reproduce this on NetBox v3.0.9. I just see the plain string as entered. It's possible this may be unique to the docker image, in which case you'll need to open a separate bug against that project. What version of Markdown do you have installed?

@jeremystretch commented on GitHub (Nov 9, 2021): I'm not able to reproduce this on NetBox v3.0.9. I just see the plain string as entered. It's possible this may be unique to the docker image, in which case you'll need to open a separate bug against that project. What version of Markdown do you have installed? 

adam commented 2025-12-29 19:30:29 +01:00

Author

Owner

Copy Link

@SoufElhabti commented on GitHub (Nov 9, 2021):

sorry for giving you hard time reproducing it. It is :

 [37qpypz37qpypz37qpypz37qpypz37qpypz]  
[37qpypz37qpypz37qpypz37qpypz37qpypz]: javascript:alert(1)

i forgot a [

@SoufElhabti commented on GitHub (Nov 9, 2021): sorry for giving you hard time reproducing it. It is : ``` [37qpypz37qpypz37qpypz37qpypz37qpypz] [37qpypz37qpypz37qpypz37qpypz37qpypz]: javascript:alert(1) ``` i forgot a `[`

adam commented 2025-12-29 19:30:31 +01:00

Author

Owner

Copy Link

@kkthxbye-code commented on GitHub (Nov 9, 2021):

Duplicate of #4717 - the recommended solution for python-markdown is to filter the html with bleach. Another solution could be to swap it out for another parser that enforces rules for links. Third option would be to try to patch the regex filter in render_markdown.

You don't have to do all that weird stuff he's doing in the payload though, a simple example like this should work:

[test
test](javascript:alert(0))

@kkthxbye-code commented on GitHub (Nov 9, 2021): Duplicate of #4717 - the recommended solution for python-markdown is to filter the html with bleach. Another solution could be to swap it out for another parser that enforces rules for links. Third option would be to try to patch the regex filter in render_markdown. You don't have to do all that weird stuff he's doing in the payload though, a simple example like this should work: ``` [test test](javascript:alert(0)) ```

adam commented 2025-12-29 19:30:33 +01:00

Author

Owner

Copy Link

@DanSheps commented on GitHub (Nov 9, 2021):

That does not work, at least under a normally configured instance

@DanSheps commented on GitHub (Nov 9, 2021): That does not work, at least under a normally configured instance

adam commented 2025-12-29 19:30:33 +01:00

Author

Owner

Copy Link

@DanSheps commented on GitHub (Nov 9, 2021):

Found the hole...

So, you need to use a reference style link:

# Does not work
[Test](javascript:alert(1))


# Does work
[Test 2][ref]

[ref]: javascript:alert(1)

@DanSheps commented on GitHub (Nov 9, 2021): Found the hole... So, you need to use a reference style link: ``` # Does not work [Test](javascript:alert(1)) # Does work [Test 2][ref] [ref]: javascript:alert(1) ```

adam commented 2025-12-29 19:30:34 +01:00

Author

Owner

Copy Link

@kkthxbye-code commented on GitHub (Nov 9, 2021):

You are misunderstanding the one I posted. You need the newline to bypass the regex.

I verified on both docker and local versions, also you can see it here on the demo instance.

https://demo.netbox.dev/dcim/devices/17/

Again, it's all mentioned in the duplicate issue I linked. The reference style version is new though I guess, but not really the main issue.

@kkthxbye-code commented on GitHub (Nov 9, 2021): You are misunderstanding the one I posted. You need the newline to bypass the regex. I verified on both docker and local versions, also you can see it here on the demo instance. https://demo.netbox.dev/dcim/devices/17/ Again, it's all mentioned in the duplicate issue I linked. The reference style version is new though I guess, but not really the main issue.

adam commented 2025-12-29 19:30:34 +01:00

Author

Owner

Copy Link

@DanSheps commented on GitHub (Nov 9, 2021):

Yes, but if you look at the reference style, that is exactly the style that he is using (he just omited the actual link and only included the reference)

So it looks like both methods do bypass the allowed URL schemes.

@DanSheps commented on GitHub (Nov 9, 2021): Yes, but if you look at the reference style, that is exactly the style that he is using (he just omited the actual link and only included the reference) So it looks like both methods do bypass the allowed URL schemes.

adam commented 2025-12-29 19:30:34 +01:00

Author

Owner

Copy Link

@DanSheps commented on GitHub (Nov 9, 2021):

Summary:

ALLOWED_URLS_SCHEMES check is bypassed on either of the following conditions:

1. Multi-line links
2. Reference style links

The question is, do we want to sink time into this. To quote from the previous issue which quotes from the bleach docs:

Bleach is powerful but it is not fast. If you trust your users, trust them and don’t rely on Bleach to clean up their mess.

As NetBox is not a end-user facing application, do we want to worry about this too much?

@DanSheps commented on GitHub (Nov 9, 2021): Summary: ALLOWED_URLS_SCHEMES check is bypassed on either of the following conditions: 1. Multi-line links 2. Reference style links The question is, do we want to sink time into this. To quote from the previous issue which quotes from the bleach docs: > Bleach is powerful but it is not fast. If you trust your users, trust them and don’t rely on Bleach to clean up their mess. As NetBox is not a end-user facing application, do we want to worry about this too much?

adam commented 2025-12-29 19:30:34 +01:00

Author

Owner

Copy Link

@jeremystretch commented on GitHub (Nov 9, 2021):

A few thoughts:

1. If we were to invoke something "heavy" like Bleach, we would need to first transition to pre-rendered HTML for all objects to mitigate the performance penalty. This would be a major change representing significant effort.
2. There may be valid use cases for javascript: links, particularly where plugins are in use.
3. Even using Bleach doesn't guarantee complete protection against XSS. The only surefire approach would be to strip all HTML tags, which is obviously undesirable.

@jeremystretch commented on GitHub (Nov 9, 2021): A few thoughts: 1. If we were to invoke something "heavy" like Bleach, we would need to first transition to pre-rendered HTML for all objects to mitigate the performance penalty. This would be a major change representing significant effort. 2. There may be valid use cases for `javascript:` links, particularly where plugins are in use. 3. Even using Bleach doesn't guarantee complete protection against XSS. The only surefire approach would be to strip _all_ HTML tags, which is obviously undesirable.

adam commented 2025-12-29 19:30:35 +01:00

Author

Owner

Copy Link

@SoufElhabti commented on GitHub (Nov 9, 2021):

i suggest something such as navigate-to which will prevent opening stuff like javascript:

@SoufElhabti commented on GitHub (Nov 9, 2021): i suggest something such as [navigate-to](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/navigate-to) which will prevent opening stuff like ``javascript:``

adam commented 2025-12-29 19:30:35 +01:00

Author

Owner

Copy Link

@DanSheps commented on GitHub (Nov 10, 2021):

i suggest something such as navigate-to which will prevent opening stuff like javascript:

My understanding is no browser supports that tag.

Additionally, as stretch mentioned, there may be instances where javascript: links are desired.

@DanSheps commented on GitHub (Nov 10, 2021): > i suggest something such as [navigate-to](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/navigate-to) which will prevent opening stuff like `javascript:` My understanding is no browser supports that tag. Additionally, as stretch mentioned, there may be instances where javascript: links are desired.

adam commented 2025-12-29 19:30:35 +01:00

Author

Owner

Copy Link

@jeremystretch commented on GitHub (Nov 11, 2021):

I've modified and extended the regular expressions to match both examples above (the multi-line link and the reference link). I believe this addresses the concern raised by the bug report.

@jeremystretch commented on GitHub (Nov 11, 2021): I've modified and extended the regular expressions to match both examples above (the multi-line link and the reference link). I believe this addresses the concern raised by the bug report.

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

update-changelog-comments-docs

feature-removal-issue-type

20911-dropdown

20239-plugin-menu-classes-mutable-state

21097-graphql-id-lookups

feature

fix_module_substitution

20923-dcim-templates

20044-elevation-stuck-lightmode

feature-ip-prefix-link

v4.5-beta1-release

20068-import-moduletype-attrs

20766-fix-german-translation-code-literals

20378-del-script

7604-filter-modifiers-v3

circuit-swap

12318-case-insensitive-uniqueness

20637-improve-device-q-filter

20660-script-load

19724-graphql

20614-update-ruff

14884-script

02496-max-page

19720-macaddress-interface-generic-relation

19408-circuit-terminations-export-templates

20203-openapi-check

fix-19669-api-image-download

7604-filter-modifiers

19275-fixes-interface-bulk-edit

fix-17794-get_field_value_return_list

11507-show-aggregate-and-rir-on-api

9583-add_column_specific_search_field_to_tables

v4.5.0

v4.4.10

v4.4.9

v4.5.0-beta1

v4.4.8

v4.4.7

v4.4.6

v4.4.5

v4.4.4

v4.4.3

v4.4.2

v4.4.1

v4.4.0

v4.3.7

v4.4.0-beta1

v4.3.6

v4.3.5

v4.3.4

v4.3.3

v4.3.2

v4.3.1

v4.3.0

v4.2.9

v4.3.0-beta2

v4.2.8

v4.3.0-beta1

v4.2.7

v4.2.6

v4.2.5

v4.2.4

v4.2.3

v4.2.2

v4.2.1

v4.2.0

v4.1.11

v4.1.10

v4.1.9

v4.1.8

v4.2-beta1

v4.1.7

v4.1.6

v4.1.5

v4.1.4

v4.1.3

v4.1.2

v4.1.1

v4.1.0

v4.0.11

v4.0.10

v4.0.9

v4.1-beta1

v4.0.8

v4.0.7

v4.0.6

v4.0.5

v4.0.3

v4.0.2

v4.0.1

v4.0.0

v3.7.8

v3.7.7

v4.0-beta2

v3.7.6

v3.7.5

v4.0-beta1

v3.7.4

v3.7.3

v3.7.2

v3.7.1

v3.7.0

v3.6.9

v3.6.8

v3.6.7

v3.7-beta1

v3.6.6

v3.6.5

v3.6.4

v3.6.3

v3.6.2

v3.6.1

v3.6.0

v3.5.9

v3.6-beta2

v3.5.8

v3.6-beta1

v3.5.7

v3.5.6

v3.5.5

v3.5.4

v3.5.3

v3.5.2

v3.5.1

v3.5.0

v3.4.10

v3.4.9

v3.5-beta2

v3.4.8

v3.5-beta1

v3.4.7

v3.4.6

v3.4.5

v3.4.4

v3.4.3

v3.4.2

v3.4.1

v3.4.0

v3.3.10

v3.3.9

v3.4-beta1

v3.3.8

v3.3.7

v3.3.6

v3.3.5

v3.3.4

v3.3.3

v3.3.2

v3.3.1

v3.3.0

v3.2.9

v3.2.8

v3.3-beta2

v3.2.7

v3.3-beta1

v3.2.6

v3.2.5

v3.2.4

v3.2.3

v3.2.2

v3.2.1

v3.2.0

v3.1.11

v3.1.10

v3.2-beta2

v3.1.9

v3.2-beta1

v3.1.8

v3.1.7

v3.1.6

v3.1.5

v3.1.4

v3.1.3

v3.1.2

v3.1.1

v3.1.0

v3.0.12

v3.0.11

v3.0.10

v3.1-beta1

v3.0.9

v3.0.8

v3.0.7

v3.0.6

v3.0.5

v3.0.4

v3.0.3

v3.0.2

v3.0.1

v3.0.0

v2.11.12

v3.0-beta2

v2.11.11

v2.11.10

v3.0-beta1

v2.11.9

v2.11.8

v2.11.7

v2.11.6

v2.11.5

v2.11.4

v2.11.3

v2.11.2

v2.11.1

v2.11.0

v2.10.10

v2.10.9

v2.11-beta1

v2.10.8

v2.10.7

v2.10.6

v2.10.5

v2.10.4

v2.10.3

v2.10.2

v2.10.1

v2.10.0

v2.9.11

v2.10-beta2

v2.9.10

v2.10-beta1

v2.9.9

v2.9.8

v2.9.7

v2.9.6

v2.9.5

v2.9.4

v2.9.3

v2.9.2

v2.9.1

v2.9.0

v2.9-beta2

v2.8.9

v2.9-beta1

v2.8.8

v2.8.7

v2.8.6

v2.8.5

v2.8.4

v2.8.3

v2.8.2

v2.8.1

v2.8.0

v2.7.12

v2.7.11

v2.7.10

v2.7.9

v2.7.8

v2.7.7

v2.7.6

v2.7.5

v2.7.4

v2.7.3

v2.7.2

v2.7.1

v2.7.0

v2.6.12

v2.6.11

v2.6.10

v2.6.9

v2.7-beta1

Solcon-2020-01-06

v2.6.8

v2.6.7

v2.6.6

v2.6.5

v2.6.4

v2.6.3

v2.6.2

v2.6.1

v2.6.0

v2.5.13

v2.5.12

v2.6-beta1

v2.5.11

v2.5.10

v2.5.9

v2.5.8

v2.5.7

v2.5.6

v2.5.5

v2.5.4

v2.5.3

v2.5.2

v2.5.1

v2.5.0

v2.4.9

v2.5-beta2

v2.4.8

v2.5-beta1

v2.4.7

v2.4.6

v2.4.5

v2.4.4

v2.4.3

v2.4.2

v2.4.1

v2.4.0

v2.3.7

v2.4-beta1

v2.3.6

v2.3.5

v2.3.4

v2.3.3

v2.3.2

v2.3.1

v2.3.0

v2.2.10

v2.3-beta2

v2.2.9

v2.3-beta1

v2.2.8

v2.2.7

v2.2.6

v2.2.5

v2.2.4

v2.2.3

v2.2.2

v2.2.1

v2.2.0

v2.1.6

v2.2-beta2

v2.1.5

v2.2-beta1

v2.1.4

v2.1.3

v2.1.2

v2.1.1

v2.1.0

v2.0.10

v2.1-beta1

v2.0.9

v2.0.8

v2.0.7

v2.0.6

v2.0.5

v2.0.4

v2.0.3

v2.0.2

v2.0.1

v2.0.0

v2.0-beta3

v1.9.6

v1.9.5

v2.0-beta2

v1.9.4-r1

v1.9.3

v2.0-beta1

v1.9.2

v1.9.1

v1.9.0-r1

v1.8.4

v1.8.3

v1.8.2

v1.8.1

v1.8.0

v1.7.3

v1.7.2-r1

v1.7.1

v1.7.0

v1.6.3

v1.6.2-r1

v1.6.1-r1

1.6.1

v1.6.0

v1.5.2

v1.5.1

v1.5.0

v1.4.2

v1.4.1

v1.4.0

v1.3.2

v1.3.1

v1.3.0

v1.2.2

v1.2.1

v1.2.0

v1.1.0

v1.0.7-r1

v1.0.7

v1.0.6

v1.0.5

v1.0.4

v1.0.3-r1

v1.0.3

1.0.0

Labels

Clear labels

beta

breaking change

complexity: high

complexity: low

complexity: medium

needs milestone

netbox

pending closure

plugin candidate

pull-request

Mirrored from GitHub Pull Request

severity: high

severity: low

severity: medium

status: accepted

status: backlog

status: blocked

status: duplicate

status: needs owner

status: needs triage

status: revisions needed

status: under review

topic: GraphQL

topic: Internationalization

topic: OpenAPI

topic: UI/UX

topic: cabling

topic: event rules

topic: htmx navigation

topic: industrialization

topic: migrations

topic: plugins

topic: scripts

topic: templating

topic: testing

type: bug

type: deprecation

type: documentation

type: feature

type: housekeeping

type: translation

No Label status: accepted type: bug

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

adam

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/netbox#5639