Isn't this how the web is meant to work (hypermedia)? And also a normal markdown feature?
I've been using this and it is very helpful to keep the texts clean.
Perhaps a better approach would be a notification after clicking the links, telling the user he is leaving SN and being sent to X (where X is the real place he is being redirected to).
Perhaps a better approach would be a notification after clicking the links, telling the user he is leaving SN and being sent to X (where X is the real place he is being redirected to).
Adding a redirection warning for every link would be detrimental to UX, I think. I think the better solution is to prevent formatting links as markdown links. So if something is already a link, you can't use the []() syntax.
I noticed Github is also vulnerable to this.
reply
I'm not sure I would caracterize this as a vulnerability, this is exactly how markdown is supposed to work and the web is supposed to work. I don't see websites being marked as vulnerable because someone includes:
<a href="https://website2.com">https://website1.com</a>
Anyhow, it doesn't hurt to forbid urls in the [] part of [](). I think it is reasonable compromise.
reply
I would consider it a vulnerability since it can be abused by attackers.
In your example, as long as the input is trusted, I would also not mark the website as vulnerable. However, if the input is controlled by users and thus not trusted (as is the case here), the website would be vulnerable to phishing attacks.
For example, read more here:
An open redirect vulnerability occurs when an application allows a user to control a redirect or forward to another URL. If the app does not validate untrusted user input, an attacker could supply a URL that redirects an unsuspecting victim from a legitimate domain to an attacker’s phishing site.
Another example would be if our Markdown engine would not already sanitize the () part, XSS would be possible using this: [https://stacker.news/items/194732](javascript:alert(1))
The () part is fortunately replaced with javascript:void(0): https://stacker.news/items/194732
Github just doesn't apply the formatting in this case.
So I don't think it's a big difference between XSS like this and allowing malicious links to consider something a vulnerability or not.
reply