0 sats \ 1 reply \ @beorange 17 Jun 2023 \ parent \ on: Bug: Could SN make links safer? meta
I'm not sure I would caracterize this as a vulnerability, this is exactly how markdown is supposed to work and the web is supposed to work. I don't see websites being marked as vulnerable because someone includes:
<a href="https://website2.com">https://website1.com</a>
Anyhow, it doesn't hurt to forbid urls in the [] part of [](). I think it is reasonable compromise.
write
preview
10 sats \ 0 replies \ @ek 17 Jun 2023
I would consider it a vulnerability since it can be abused by attackers.
In your example, as long as the input is trusted, I would also not mark the website as vulnerable. However, if the input is controlled by users and thus not trusted (as is the case here), the website would be vulnerable to phishing attacks.
For example, read more here:
An open redirect vulnerability occurs when an application allows a user to control a redirect or forward to another URL. If the app does not validate untrusted user input, an attacker could supply a URL that redirects an unsuspecting victim from a legitimate domain to an attacker’s phishing site.
-- https://learn.snyk.io/lessons/open-redirect/javascript/
Another example would be if our Markdown engine would not already sanitize the () part, XSS would be possible using this: [https://stacker.news/items/194732](javascript:alert(1))
The () part is fortunately replaced with javascript:void(0): https://stacker.news/items/194732
Github just doesn't apply the formatting in this case.
So I don't think it's a big difference between XSS like this and allowing malicious links to consider something a vulnerability or not.
reply