{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/justhtml/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["JustHTML"],"_cs_severities":["high"],"_cs_tags":["xss","justhtml","markdown"],"_cs_type":"advisory","_cs_vendors":["JustHTML"],"content_html":"\u003cp\u003eJustHTML, a Python library for HTML manipulation, is susceptible to a cross-site scripting (XSS) vulnerability in versions 1.12.0 and earlier. This flaw occurs during the \u003ccode\u003eto_markdown()\u003c/code\u003e serialization of attacker-controlled \u003ccode\u003e\u0026lt;pre\u0026gt;\u003c/code\u003e content. The vulnerability allows an attacker to inject arbitrary HTML code outside the intended fenced code block by exploiting a weakness in how the library handles backticks within the \u003ccode\u003e\u0026lt;pre\u0026gt;\u003c/code\u003e tag. This bypasses the v1.12.0 Markdown hardening, which escaped HTML-significant characters for regular text nodes but not for the separate \u003ccode\u003e\u0026lt;pre\u0026gt;\u003c/code\u003e serialization path. This can lead to the execution of arbitrary JavaScript code when the resulting Markdown is rendered by a CommonMark/GFM-style renderer that allows raw HTML.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker crafts malicious HTML content containing a \u003ccode\u003e\u0026lt;pre\u0026gt;\u003c/code\u003e tag with embedded backticks and HTML-like text.\u003c/li\u003e\n\u003cli\u003eThe attacker supplies this crafted HTML to the \u003ccode\u003eJustHTML()\u003c/code\u003e constructor with \u003ccode\u003esanitize=True\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eto_markdown()\u003c/code\u003e method is called on the \u003ccode\u003eJustHTML\u003c/code\u003e object.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eto_markdown()\u003c/code\u003e method processes the \u003ccode\u003e\u0026amp;lt;pre\u0026gt;\u003c/code\u003e tag and generates a fenced code block with a fixed delimiter of ``````` (three backticks).\u003c/li\u003e\n\u003cli\u003eDue to the fixed delimiter, the attacker-controlled content, containing a backtick run of length 3 or more, terminates the code block prematurely.\u003c/li\u003e\n\u003cli\u003eThe remaining HTML-like text, such as \u003ccode\u003e\u0026lt;img src=x onerror=alert(1)\u0026gt;\u003c/code\u003e, appears outside the fenced code block in the resulting Markdown output.\u003c/li\u003e\n\u003cli\u003eThe vulnerable markdown is rendered by a CommonMark/GFM-style renderer.\u003c/li\u003e\n\u003cli\u003eThe injected HTML is treated as raw HTML, leading to the execution of the embedded JavaScript code.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows attackers to inject arbitrary HTML and JavaScript code into applications that use \u003ccode\u003eJustHTML(..., sanitize=True).to_markdown()\u003c/code\u003e and render the output in Markdown contexts. This may lead to XSS, where the attacker can execute malicious scripts in the context of the victim's browser.  The number of affected applications is currently unknown, but any application using JustHTML for Markdown generation with user-supplied HTML is potentially vulnerable.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to a version of \u003ccode\u003ejusthtml\u003c/code\u003e greater than 1.12.0 to remediate the vulnerability as advised in the advisory.\u003c/li\u003e\n\u003cli\u003eSanitize user-provided HTML input before passing it to \u003ccode\u003eJustHTML\u003c/code\u003e to mitigate the risk of malicious code injection.\u003c/li\u003e\n\u003cli\u003eIf upgrading is not immediately feasible, consider implementing custom escaping logic for \u003ccode\u003e\u0026lt;pre\u0026gt;\u003c/code\u003e content before passing it to \u003ccode\u003eto_markdown()\u003c/code\u003e to prevent code fence breakouts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T12:00:00Z","date_published":"2024-01-09T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-09-justhtml-xss/","summary":"JustHTML versions 1.12.0 and earlier are vulnerable to cross-site scripting (XSS) by manipulating the contents of a \u003cpre\u003e element to inject HTML code outside of the intended code block, potentially leading to arbitrary JavaScript execution.","title":"JustHTML XSS Vulnerability via Code Fence Breakout","url":"https://feed.craftedsignal.io/briefs/2024-01-09-justhtml-xss/"}],"language":"en","title":"CraftedSignal Threat Feed - Justhtml","version":"https://jsonfeed.org/version/1.1"}